Remote Code Execution Vulnerability in Roo Code by RooCode Inc.
CVE-2025-58371

9.9CRITICAL

Key Information:

Vendor: Roocodeinc
Status: Roo-code
Vendor: CVE Published:; 5 September 2025

What is CVE-2025-58371?

In earlier versions of Roo Code (3.26.6 and below), a vulnerability exists due to unsanitized pull request metadata within a privileged GitHub workflow. This flaw allows an attacker to execute arbitrary code on the Actions runner, leveraging extensive permissions and access to sensitive repository secrets. Consequently, the attacker can modify code in the repository, push malicious updates, and create harmful releases, leading to a thorough compromise of the repository ecosystem. A fix has been implemented in version 3.26.7.

Affected Version(s)

Roo-Code < 3.26.7

References

https://github.com/RooCodeInc/Roo-Code/security/advisorie...

x_refsource_CONFIRM

https://github.com/RooCodeInc/Roo-Code/commit/a0384f35d5a...

x_refsource_MISC

CVSS V4

Score:

9.9

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 5, 2025
Vulnerability Reserved
Aug 29, 2025

Roocodeinc

What is CVE-2025-58371?

Affected Version(s)

References

CVSS V4

Timeline