Description

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions below 3.26.0 contain a vulnerability in the command parsing logic where the Bash parameter expansion and indirect reference were not handled correctly. If the agent was configured to auto-approve execution of certain commands, an attacker able to influence prompts could abuse this weakness to execute additional arbitrary commands alongside the intended one. This is fixed in version 3.26.0.

INFO

Published Date :

2025-09-05T22:09:04.786Z

Last Modified :

2025-09-08T20:10:12.235Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-58370 vulnerability.

Vendors Products
Roocode
  • Roo Code
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-58370.

URL Resource
https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-2rm5-cvcm-7592 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact