CVE-2025-58371

CriticalRCE

Published: 05 September 2025

Published

05 September 2025

Modified

15 September 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0050 66.3th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-58371 is a critical-severity OS Command Injection (CWE-78) vulnerability in Roocode Roo Code. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unsecured Credentials (T1552); ranked in the top 33.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Unsecured Credentials (T1552) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation and sanitization of untrusted pull request metadata before use in privileged GitHub workflow command execution to directly prevent OS command injection.

AC-6 Least Privilege partial match

prevent

Enforces least privilege on GitHub Actions workflows and runners to limit the scope of compromise, permissions, and access to secrets if RCE occurs.

CM-6 Configuration Settings partial match

prevent

Establishes and enforces secure configuration settings for GitHub workflows to include input sanitization and restricted permissions addressing the unsanitized metadata flaw.

MITRE ATT&CK Enterprise TechniquesAI

T1552 Unsecured Credentials Credential Access

Adversaries may search compromised systems to find and obtain insecurely stored credentials.

attack.mitre.org →

T1195.002 Compromise Software Supply Chain Initial Access

Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.

attack.mitre.org →

T1677 Poisoned Pipeline Execution Execution

Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process.

attack.mitre.org →

Why these techniques?

The GitHub workflow vulnerability enables RCE via unsanitized PR metadata (T1677: Poisoned Pipeline Execution), access to repository secrets (T1552: Unsecured Credentials), and full repository compromise for malicious code pushes, releases, or packages (T1195.002: Compromise Software Supply Chain).

NVD Description

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.26.6 and below, a Github workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to craft malicious input and achieve Remote…

Code Execution (RCE) on the Actions runner. The workflow runs with broad permissions and access to repository secrets. It is possible for an attacker to execute arbitrary commands on the runner, push or modify code in the repository, access secrets, and create malicious releases or packages, resulting in a complete compromise of the repository and its associated services. This is fixed in version 3.26.7.

Deeper analysisAI

CVE-2025-58371 is a critical vulnerability in Roo Code, an AI-powered autonomous coding agent that integrates into users' editors. Affecting versions 3.26.6 and below, it arises from a GitHub workflow that processes unsanitized pull request metadata in a privileged context, enabling remote code execution (RCE) on the GitHub Actions runner. The flaw, classified as CWE-78 (OS Command Injection), carries a CVSS 3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-09-05.

Unauthenticated attackers can exploit the vulnerability by crafting malicious pull request metadata, requiring only network access to the repository. Successful exploitation grants RCE on the Actions runner, which operates with broad permissions and access to repository secrets. This allows arbitrary command execution, pushing or modifying code in the repository, exfiltrating secrets, and creating malicious releases or packages, culminating in complete compromise of the repository and associated services.

The vulnerability is addressed in Roo Code version 3.26.7. Security practitioners should update to this version immediately. Additional details are available in the GitHub security advisory at https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-xr6r-vj48-29f6 and the fixing commit at https://github.com/RooCodeInc/Roo-Code/commit/a0384f35d5ae3b7f66506cc62dda25d9bb673f49.

Details

CWE(s): CWE-78

Affected Products

roocode

roo code

≤ 3.26.7

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: Supply Chain and Deployment
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Roo Code is described as an AI-powered autonomous coding agent that integrates into users' editors, aligning with AI Agent Protocols and Integrations category.

CVEs Like This One

CVE-2025-58370Same product: Roocode Roo Code

CVE-2025-65946Same product: Roocode Roo Code

CVE-2026-30307Same product: Roocode Roo Code

CVE-2025-66401Shared CWE-78

CVE-2026-40933Shared CWE-78

CVE-2026-25546Shared CWE-78

CVE-2025-64109Shared CWE-78

CVE-2026-34935Shared CWE-78

CVE-2026-23882Shared CWE-78

CVE-2026-6942Shared CWE-78

References

https://github.com/RooCodeInc/Roo-Code/commit/a0384f35d5ae3b7f66506cc62dda25d9bb673f49
Patch · security-advisories@github.com
https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-xr6r-vj48-29f6
Vendor Advisory · security-advisories@github.com