CVE-2025-58370 Overview
CVE-2025-58370 is a command injection vulnerability affecting Roo Code, an AI-powered autonomous coding agent that operates within users' code editors. Versions below 3.26.0 contain a flaw in the command parsing logic where Bash parameter expansion and indirect references are not handled correctly. When the agent is configured to auto-approve execution of certain commands, an attacker capable of influencing prompts can exploit this weakness to execute arbitrary commands alongside the intended operations.
Critical Impact
Attackers who can influence AI prompts may achieve arbitrary command execution on systems where Roo Code is configured with auto-approval enabled, potentially leading to complete system compromise.
Affected Products
- Roocode Roo Code versions prior to 3.26.0
Discovery Timeline
- 2025-09-05 - CVE-2025-58370 published to NVD
- 2025-09-10 - Last updated in NVD database
Technical Details for CVE-2025-58370
Vulnerability Analysis
This vulnerability falls under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw exists within Roo Code's command parsing logic, which fails to properly sanitize Bash parameter expansion syntax and indirect variable references before executing commands.
When users configure Roo Code to auto-approve execution of specific commands (a convenience feature intended to streamline workflows), the agent bypasses confirmation prompts for those whitelisted commands. However, the inadequate parsing of shell metacharacters allows attackers to inject additional commands that piggyback on approved operations.
The network-based attack vector with high complexity requirements suggests that successful exploitation depends on specific environmental conditions and the attacker's ability to influence the AI agent's prompt context.
Root Cause
The root cause is improper input validation in the command parsing mechanism. Specifically, the parsing logic does not correctly handle Bash parameter expansion (such as ${variable}) and indirect references (like ${!variable}). This allows specially crafted input containing these shell constructs to bypass command validation checks, enabling command injection when the auto-approval feature is enabled.
Attack Vector
The attack requires an adversary to influence the prompts processed by the Roo Code agent. This could occur through various means:
- Malicious Repository Content: An attacker could embed malicious content in code repositories that the AI agent processes
- Prompt Injection: Crafted input designed to manipulate the AI's command generation behavior
- External Data Sources: Compromised external data sources that feed into the agent's context
When the agent generates and executes commands based on manipulated prompts, the improperly parsed Bash constructs allow additional arbitrary commands to execute alongside approved ones. The vulnerability requires the auto-approval feature to be enabled for exploitation, as manual approval would allow users to detect malicious commands.
For detailed technical information about this vulnerability, refer to the GitHub Security Advisory GHSA-2rm5-cvcm-7592.
Detection Methods for CVE-2025-58370
Indicators of Compromise
- Unexpected or unusual commands executed by the Roo Code agent that were not explicitly requested
- Log entries showing Bash parameter expansion syntax (${...}) in executed commands
- Suspicious process spawning from Roo Code extension processes
- Unusual network connections or file system modifications following Roo Code command execution
Detection Strategies
- Monitor Roo Code execution logs for commands containing shell metacharacters or parameter expansion syntax
- Implement behavioral analysis to detect anomalous command patterns from the AI agent
- Review audit trails for commands executed via auto-approval that differ from typical user workflows
- Deploy endpoint detection rules targeting process chains originating from code editor extensions
Monitoring Recommendations
- Enable verbose logging for Roo Code command execution to capture full command strings
- Implement real-time alerting for command executions containing suspicious shell constructs
- Monitor for privilege escalation attempts or lateral movement following Roo Code activity
- Establish baselines for normal Roo Code operation patterns to identify deviations
How to Mitigate CVE-2025-58370
Immediate Actions Required
- Upgrade Roo Code to version 3.26.0 or later immediately
- Disable auto-approval features for command execution until the patch is applied
- Review recent command execution history for any signs of exploitation
- Audit code repositories and data sources that interact with Roo Code for malicious content
Patch Information
The vulnerability is fixed in Roo Code version 3.26.0. Users should update to this version or later to remediate the vulnerability. The fix addresses the improper handling of Bash parameter expansion and indirect references in the command parsing logic.
For additional information, consult the official security advisory.
Workarounds
- Disable the auto-approval feature for all command executions until the patch is applied
- Manually review all commands before approval to detect potential injection attempts
- Restrict Roo Code's access to sensitive system resources and limit executable commands
- Implement network segmentation to contain potential compromise from affected systems
- Consider temporarily disabling the Roo Code extension in high-security environments until patching is complete
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
