216.73.217.139

CVE-2025-58374

· Published 06/09/2025 03:15 · Modified 06/09/2025 03:15

Labels: CVE-2025-58374 2025-09-06CVE-2025-58374CWE-78[email protected]

Essential information

Published
06/09/2025 03:15
Modified
06/09/2025 03:15
Author
Creator
CVSS
7.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS metrics

Description

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a default list of allowed commands that do not need manual approval if auto-approve is enabled, and npm install is included in that list. Because npm install executes lifecycle scripts, if a repository’s package.json file contains a malicious postinstall script, it would be executed automatically without user approval. This means that enabling auto-approved commands and opening a malicious repo could result in arbitrary code execution. This is fixed in version 3.26.0.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
roo code / roo code cpe:2.3:a:roo_code:roo_code:3.25.23:*:*:*:*:*:*:*
roo code / roo code cpe:2.3:a:roo_code:roo_code:3.26.0:*:*:*:*:*:*:*

References