The following table lists the changes that have been made to the
CVE-2025-58374 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution
of a vulnerability, and for identifying the most recent changes that may
impact the vulnerability’s severity, exploitability, or other characteristics.
Sep. 06, 2025
| Action | Type | Old Value | New Value |
|---|---|---|---|
| Added | Description | Roo Code is an AI-powered autonomous coding agent that lives in users’ editors. Versions 3.25.23 and below contain a default list of allowed commands that do not need manual approval if auto-approve is enabled, and npm install is included in that list. Because npm install executes lifecycle scripts, if a repository’s package.json file contains a malicious postinstall script, it would be executed automatically without user approval. This means that enabling auto-approved commands and opening a malicious repo could result in arbitrary code execution. This is fixed in version 3.26.0. | |
| Added | CVSS V3.1 | AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H | |
| Added | CWE | CWE-78 | |
| Added | Reference | https://github.com/RooCodeInc/Roo-Code/pull/7390/files | |
| Added | Reference | https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0 | |
| Added | Reference | https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-c292-qxq4-4p2v |
CVE ID : CVE-2025-10304 Published : Dec. 3, 2025, 3:27 a.m. | 26 minutes ago Description : The Everest Backup –
CVE ID : CVE-2025-12585 Published : Dec. 3, 2025, 3:27 a.m. | 26 minutes ago Description : The MxChat – AI
Unit A5, Endeavour Business Park
Penner Road, Havant
PO9 1QN
Company Registration Number: 5334133
Company VAT Number: 855 7246 95
