CVE-2025-58372 is a high-severity vulnerability affecting Roo-Code, an AI-powered autonomous coding agent integrated into users' editors, specifically versions prior to 3.26.0. The vulnerability arises from incorrect permission assignment (CWE-732) related to Visual Studio Code workspace configuration files (.code-workspace). Unlike the .vscode folder, which is properly protected, these workspace files are insufficiently secured. When the Roo-Code agent is configured to auto-approve file writes, an attacker capable of influencing the agent's prompts—such as through prompt injection techniques—can manipulate the agent to write malicious workspace settings or tasks into the .code-workspace file. These malicious tasks are then automatically executed upon reopening the workspace, enabling arbitrary code execution without user interaction or prior authentication. This flaw combines improper access control with the ability to execute code remotely, posing a significant risk to the confidentiality, integrity, and availability of affected systems. The vulnerability is tracked under CWE-732 (Incorrect Permission Assignment for Critical Resource) and CWE-94 (Improper Control of Generation of Code), highlighting both the permission misconfiguration and the code injection aspects. Although no known exploits are reported in the wild as of the publication date, the CVSS 3.1 base score of 8.1 reflects the high potential impact and network attack vector with no privileges or user interaction required. The issue is resolved in Roo-Code version 3.26.0, where appropriate protections for .code-workspace files have been implemented to prevent unauthorized modifications and execution of malicious tasks.

For European organizations, this vulnerability presents a critical risk, especially for software development teams and enterprises relying on Roo-Code within Visual Studio Code environments. Successful exploitation could lead to arbitrary code execution on developers' machines, potentially allowing attackers to implant backdoors, steal sensitive source code, intellectual property, or credentials, and pivot into internal networks. This could disrupt development workflows, compromise software supply chains, and lead to data breaches or ransomware deployment. Given the autonomous nature of the agent and the automatic execution of malicious tasks, detection may be delayed, increasing the window for attackers to cause damage. Organizations with remote or hybrid development environments may be particularly vulnerable, as attackers could exploit prompt injection vectors via compromised input channels or malicious code snippets. The vulnerability undermines trust in AI-assisted development tools and could have cascading effects on software integrity and organizational cybersecurity posture.

European organizations should immediately upgrade Roo-Code to version 3.26.0 or later to ensure the vulnerability is patched. Until the update is applied, organizations should disable the auto-approve file write feature in Roo-Code to prevent unauthorized modifications to workspace configuration files. Additionally, developers should restrict the use of untrusted or external code snippets and carefully monitor prompt inputs to the AI agent to mitigate prompt injection risks. Implementing endpoint detection and response (EDR) solutions that can detect anomalous task executions or changes to workspace files can provide early warning of exploitation attempts. Organizations should also enforce strict access controls on development environments and conduct regular audits of workspace configuration files for unauthorized changes. Training developers on secure AI tool usage and prompt hygiene can reduce the likelihood of successful prompt injection attacks. Finally, integrating code integrity verification and sandboxing of automated tasks within development environments can limit the impact of any malicious code execution.