{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-23T19:36:20.870","vulnerabilities":[{"cve":{"id":"CVE-2025-58374","sourceIdentifier":"security-advisories@github.com","published":"2025-09-06T03:15:40.097","lastModified":"2026-06-17T09:44:22.917","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a default list of allowed commands that do not need manual approval if auto-approve is enabled, and npm install is included in that list. Because npm install executes lifecycle scripts, if a repository’s package.json file contains a malicious postinstall script, it would be executed automatically without user approval. This means that enabling auto-approved commands and opening a malicious repo could result in arbitrary code execution. This is fixed in version 3.26.0."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"RooCodeInc","product":"Roo-Code","versions":[{"version":"< 3.26.0","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":7.8,"baseSeverity":"HIGH","attackVector":"LOCAL","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":1.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-09-08T13:53:41.487362Z","id":"CVE-2025-58374","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-78"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:roocode:roo_code:*:*:*:*:*:*:*:*","versionEndExcluding":"3.26.0","matchCriteriaId":"FF1ECC76-9F04-425B-9FDA-045A8B21F5E1"}]}]}],"references":[{"url":"https://github.com/RooCodeInc/Roo-Code/pull/7390/files","source":"security-advisories@github.com","tags":["Product"]},{"url":"https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0","source":"security-advisories@github.com","tags":["Release Notes"]},{"url":"https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-c292-qxq4-4p2v","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}