CVE-2025-58370
BaseFortify
Publication date: 2025-09-05
Last updated on: 2025-09-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roocode | roo_code | to 3.26.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Roo Code versions below 3.26.0 in the command parsing logic. Specifically, the Bash parameter expansion and indirect reference were not handled correctly. If the agent was set to auto-approve execution of certain commands, an attacker who could influence prompts could exploit this flaw to execute additional arbitrary commands alongside the intended command.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability could execute arbitrary commands on your system without your consent, potentially leading to unauthorized access, data compromise, or disruption of services. Since the vulnerability allows command execution with high impact on confidentiality, integrity, and availability, it poses a serious security risk.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Roo Code to version 3.26.0 or later, as this version contains the fix for the command parsing vulnerability. Additionally, review and disable any auto-approval settings for command execution to prevent abuse of this weakness.