Unrated severityNVD Advisory· Published Sep 5, 2025· Updated Sep 8, 2025
Roo Code: Potential Remote Code Execution via Bash Parameter Expansion and Indirect Reference
CVE-2025-58370
Description
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions below 3.26.0 contain a vulnerability in the command parsing logic where the Bash parameter expansion and indirect reference were not handled correctly. If the agent was configured to auto-approve execution of certain commands, an attacker able to influence prompts could abuse this weakness to execute additional arbitrary commands alongside the intended one. This is fixed in version 3.26.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<3.26.0+ 1 more
- (no CPE)range: <3.26.0
- (no CPE)range: < 3.26.0
Patches
Vulnerability mechanics
References
1- github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-2rm5-cvcm-7592mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.