{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2026-30307", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2026-03-30T19:05:45.827Z", "dateReserved": "2026-03-04T00:00:00.000Z", "datePublished": "2026-03-30T00:00:00.000Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-03-30T19:05:45.827Z"}, "descriptions": [{"lang": "en", "value": "Roo Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations, it fails to account for standard Shell command substitution Roo Code (specifically$(...)and backticks ...). An attacker can construct a command such as git log --grep=\"$(malicious_command)\", forcing Syntx to misidentify it as a safe git operation and automatically approve it. The underlying Shell prioritizes the execution of the malicious code injected within the arguments, resulting in Remote Code Execution without any user interaction."}], "affected": [{"vendor": "n/a", "product": "n/a", "versions": [{"version": "n/a", "status": "affected"}]}], "references": [{"url": "https://roocode.com/"}, {"url": "https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/7"}], "problemTypes": [{"descriptions": [{"type": "text", "lang": "en", "description": "n/a"}]}]}}, "dataVersion": "5.2"}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Roo Code's command auto-approval module contains a critical OS command injection vulnerability that renders its whitelist security mechanism completely ineffective. The system relies on fragile regular expressions to parse command structures; while it attempts to intercept dangerous operations, it fails to account for standard Shell command substitution Roo Code (specifically$(...)and backticks ...). An attacker can construct a command such as git log --grep=\"$(malicious_command)\", forcing Syntx to misidentify it as a safe git operation and automatically approve it. The underlying Shell prioritizes the execution of the malicious code injected within the arguments, resulting in Remote Code Execution without any user interaction."}], "id": "CVE-2026-30307", "lastModified": "2026-03-30T20:16:21.220", "metrics": {}, "published": "2026-03-30T20:16:21.220", "references": [{"source": "cve@mitre.org", "url": "https://github.com/Secsys-FDU/LLM-Tool-Calling-CVEs/issues/7"}, {"source": "cve@mitre.org", "url": "https://roocode.com/"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received"}

{}

{"analysis": {"en": {"generated_at": "2026-03-30T20:24:43.601890+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011released patch or upgrade Roo Code to a version that resolves the command auto\u2011approval flaw.", "Disable or remove the auto\u2011approval feature, and enforce manual command approval or a stricter whitelist.", "Audit and update the regex patterns used for command validation to reject shell expansions such as $(\u2026) and backticks.", "Monitor system logs for unusual command execution and perform regular penetration testing to confirm the vulnerability is mitigated."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects instances of Roo Code that employ the command auto-approval module. No specific vendor is listed, and no version information is provided in the advisory, so any installation of Roo Code that contains this module and has not applied a vendor fix is potentially vulnerable.", "description_and_impact": "The Roo Code command auto-approval module contains an OS command injection vulnerability that bypasses its whitelist mechanism. The module uses regular expressions to parse commands, but it fails to detect standard shell substitutions such as $(\u2026) and backticks. An attacker can craft a command like git log --grep=\"$(malicious_command)\" which the module treats as a safe git operation, approves it automatically, and the underlying shell executes the injected code. This allows the attacker to run arbitrary commands on the host with the permissions of the Roo Code process, leading to full remote code execution without any user interaction.", "risk_and_exploitability": "No CVSS score or EPSS data is available, and the vulnerability is not present in the CISA KEV catalog. Nonetheless, the nature of the flaw allows an attacker with the ability to submit commands to the auto-approval system to execute arbitrary code. The likely attack vector is local or privileged access that enables the submission of crafted commands to the Roo Code process; remote exploitation would require a separate vulnerability to gain such access. Given the absence of mitigation information, the risk is considered high for affected systems, and administrators should treat it as a critical security issue."}}}}, "created": "2026-03-30T20:56:13.940702+00:00", "title": "OS Command Injection in Roo Code Command Auto-Approval Module", "updated": "2026-03-30T20:56:13.940727+00:00", "vendors": [], "weaknesses": ["CWE-78"]}