CVE-2025-58374: Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a def
highvulnerability
security
Summary
Roo Code is an AI tool that helps developers write code directly in their editors, but versions 3.25.23 and older have a security flaw where npm install (a command that downloads and sets up code packages) is automatically approved without asking the user first. If a malicious repository's package.json file contains a postinstall script (code that runs automatically during package installation), it could execute harmful commands on the user's computer without their knowledge or consent.
Solution / Mitigation
This is fixed in version 3.26.0.
Vulnerability Details
CVSS Score
7.8(high)
EPSS (30-day exploit probability)
EPSS: 0.0%
Classification
Attack Type
Supply Chain
Attack SophisticationModerate
Impact (CIA+S)
integrityconfidentiality
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-58374
First tracked: February 15, 2026 at 08:53 PM
Classified by LLM (prompt v3) · confidence: 92%