The Roo Code command auto-approval module contains an OS command injection vulnerability that bypasses its whitelist mechanism. The module uses regular expressions to parse commands, but it fails to detect standard shell substitutions such as $(…) and backticks. An attacker can craft a command like git log --grep="$(malicious_command)" which the module treats as a safe git operation, approves it automatically, and the underlying shell executes the injected code. This allows the attacker to run arbitrary commands on the host with the permissions of the Roo Code process, leading to full remote code execution without any user interaction.

The vulnerability affects instances of Roo Code that employ the command auto-approval module. No specific vendor is listed, and no version information is provided in the advisory, so any installation of Roo Code that contains this module and has not applied a vendor fix is potentially vulnerable.

No CVSS score or EPSS data is available, and the vulnerability is not present in the CISA KEV catalog. Nonetheless, the nature of the flaw allows an attacker with the ability to submit commands to the auto-approval system to execute arbitrary code. The likely attack vector is local or privileged access that enables the submission of crafted commands to the Roo Code process; remote exploitation would require a separate vulnerability to gain such access. Given the absence of mitigation information, the risk is considered high for affected systems, and administrators should treat it as a critical security issue.