Roo Code: Potential Remote Code Execution via Bash Parameter Expansion...

8.1 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions below 3.26.0 contain a vulnerability in the command parsing logic where the Bash parameter expansion and indirect reference were not handled correctly. If the agent was configured to auto-approve execution of certain commands, an attacker able to influence prompts could abuse this weakness to execute additional arbitrary commands alongside the intended one. This is fixed in version 3.26.0.

Basic Information

ID CVE-2025-58370

Source GitHub_M

Published Sep 5, 2025 at 22:09

Affected Product

Vendor RooCodeInc

Product Roo-Code

Version < 3.26.0

Affected Versions RooCodeInc Roo-Code < 3.26.0

CWE Classification

CWE-78

References

github.com /RooCodeInc/Roo-Code/security/advisories/GHSA-2rm5-cvcm-7592

{
    "lastseen": "",
    "description": "Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions below 3.26.0 contain a vulnerability in the command parsing logic where the Bash parameter expansion and indirect reference were not handled correctly. If the agent was configured to auto-approve execution of certain commands, an attacker able to influence prompts could abuse this weakness to execute additional arbitrary commands alongside the intended one. This is fixed in version 3.26.0.",
    "published": "2025-09-05T22:09:04.786Z",
    "modified": "2025-09-05T22:09:52.492Z",
    "type": "cve",
    "title": "Roo Code: Potential Remote Code Execution via Bash Parameter Expansion and Indirect Reference",
    "source": "GitHub_M",
    "references": "https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-2rm5-cvcm-7592",
    "id": "CVE-2025-58370",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "RooCodeInc Roo-Code < 3.26.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.1,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Roo-Code",
    "version": "< 3.26.0",
    "vendor": "RooCodeInc",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Roo Code: Potential Remote Code Execution via Bash Parameter Expansion and Indirect Reference_CVE-2025-58370