CVE-2025-58370: Roocode Roo Code RCE Vulnerability

CVE-2025-58370 Overview

CVE-2025-58370 is a command injection vulnerability affecting Roo Code, an AI-powered autonomous coding agent that operates within users' code editors. Versions below 3.26.0 contain a flaw in the command parsing logic where Bash parameter expansion and indirect references are not handled correctly. When the agent is configured to auto-approve execution of certain commands, an attacker capable of influencing prompts can exploit this weakness to execute arbitrary commands alongside the intended operations.

Critical Impact
Attackers who can influence AI prompts may achieve arbitrary command execution on systems where Roo Code is configured with auto-approval enabled, potentially leading to complete system compromise.

Affected Products

Roocode Roo Code versions prior to 3.26.0

Discovery Timeline

2025-09-05 - CVE-2025-58370 published to NVD
2025-09-10 - Last updated in NVD database

Technical Details for CVE-2025-58370

Vulnerability Analysis

This vulnerability falls under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw exists within Roo Code's command parsing logic, which fails to properly sanitize Bash parameter expansion syntax and indirect variable references before executing commands.

When users configure Roo Code to auto-approve execution of specific commands (a convenience feature intended to streamline workflows), the agent bypasses confirmation prompts for those whitelisted commands. However, the inadequate parsing of shell metacharacters allows attackers to inject additional commands that piggyback on approved operations.

The network-based attack vector with high complexity requirements suggests that successful exploitation depends on specific environmental conditions and the attacker's ability to influence the AI agent's prompt context.

Root Cause

The root cause is improper input validation in the command parsing mechanism. Specifically, the parsing logic does not correctly handle Bash parameter expansion (such as ${variable}) and indirect references (like ${!variable}). This allows specially crafted input containing these shell constructs to bypass command validation checks, enabling command injection when the auto-approval feature is enabled.

Attack Vector

The attack requires an adversary to influence the prompts processed by the Roo Code agent. This could occur through various means:

Malicious Repository Content: An attacker could embed malicious content in code repositories that the AI agent processes
Prompt Injection: Crafted input designed to manipulate the AI's command generation behavior
External Data Sources: Compromised external data sources that feed into the agent's context

When the agent generates and executes commands based on manipulated prompts, the improperly parsed Bash constructs allow additional arbitrary commands to execute alongside approved ones. The vulnerability requires the auto-approval feature to be enabled for exploitation, as manual approval would allow users to detect malicious commands.

For detailed technical information about this vulnerability, refer to the GitHub Security Advisory GHSA-2rm5-cvcm-7592.

Detection Methods for CVE-2025-58370

Indicators of Compromise

Unexpected or unusual commands executed by the Roo Code agent that were not explicitly requested
Log entries showing Bash parameter expansion syntax (${...}) in executed commands
Suspicious process spawning from Roo Code extension processes
Unusual network connections or file system modifications following Roo Code command execution

Detection Strategies

Monitor Roo Code execution logs for commands containing shell metacharacters or parameter expansion syntax
Implement behavioral analysis to detect anomalous command patterns from the AI agent
Review audit trails for commands executed via auto-approval that differ from typical user workflows
Deploy endpoint detection rules targeting process chains originating from code editor extensions

Monitoring Recommendations

Enable verbose logging for Roo Code command execution to capture full command strings
Implement real-time alerting for command executions containing suspicious shell constructs
Monitor for privilege escalation attempts or lateral movement following Roo Code activity
Establish baselines for normal Roo Code operation patterns to identify deviations

How to Mitigate CVE-2025-58370

Immediate Actions Required

Upgrade Roo Code to version 3.26.0 or later immediately
Disable auto-approval features for command execution until the patch is applied
Review recent command execution history for any signs of exploitation
Audit code repositories and data sources that interact with Roo Code for malicious content

Patch Information

The vulnerability is fixed in Roo Code version 3.26.0. Users should update to this version or later to remediate the vulnerability. The fix addresses the improper handling of Bash parameter expansion and indirect references in the command parsing logic.

For additional information, consult the official security advisory.

Workarounds

Disable the auto-approval feature for all command executions until the patch is applied
Manually review all commands before approval to detect potential injection attempts
Restrict Roo Code's access to sensitive system resources and limit executable commands
Implement network segmentation to contain potential compromise from affected systems
Consider temporarily disabling the Roo Code extension in high-security environments until patching is complete