← volver
CVE-2025-58370

Roo Code: Potential Remote Code Execution via Bash Parameter Expansion and Indirect Reference

CVSS 8.1 HIGHEPSS 0.4%CWE-78
Vexday Risk Score
21Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 8.1EPSS 0.4%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
05 sep 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions below 3.26.0 contain a vulnerability in the command parsing logic where the Bash parameter expansion and indirect reference were not handled correctly. If the agent was configured to auto-approve execution of certain commands, an attacker able to influence prompts could abuse this weakness to execute additional arbitrary commands alongside the intended one. This is fixed in version 3.26.0.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Productos afectados
RooCodeInc · Roo-Code

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-2rm5-cvcm-7592