CVE-2025-58372 is a high-severity vulnerability affecting Roo-Code, an AI-powered autonomous coding agent integrated within users' editors, specifically versions 3.25.23 and earlier. The vulnerability arises from incorrect permission assignment (CWE-732) related to Visual Studio Code workspace configuration files (.code-workspace). Unlike the .vscode folder, which is typically protected, these workspace files are not adequately safeguarded. When the Roo-Code agent is configured to auto-approve file writes, an attacker capable of influencing the agent's prompts—such as through prompt injection techniques—can manipulate the agent to write malicious workspace settings or tasks into the .code-workspace file. Upon reopening the workspace, these malicious tasks can execute automatically, leading to arbitrary code execution on the victim's system. This flaw combines improper permission management with the risk of code injection (CWE-94), enabling attackers to escalate privileges or execute harmful payloads without requiring user interaction or prior authentication. The vulnerability has a CVSS v3.1 score of 8.1, indicating a high impact on confidentiality, integrity, and availability. The issue was publicly disclosed on September 5, 2025, and fixed in Roo-Code version 3.26.0. No known exploits are currently reported in the wild, but the potential for exploitation exists given the nature of the vulnerability and the widespread use of VS Code and its extensions in development environments.

For European organizations, this vulnerability poses significant risks, especially within software development teams and enterprises relying on Roo-Code for AI-assisted coding workflows. Successful exploitation could lead to arbitrary code execution on developers' machines, potentially allowing attackers to implant backdoors, steal sensitive intellectual property, or pivot into internal networks. The automated execution of malicious tasks upon workspace reopening increases the risk of persistent compromise without direct user action. Confidentiality breaches could expose proprietary codebases and customer data, while integrity violations might corrupt code or inject malicious logic into software products. Availability could also be impacted if attackers deploy destructive payloads. Given the integration of Roo-Code in popular editors like VS Code, organizations with extensive developer operations or CI/CD pipelines are particularly vulnerable. The lack of authentication and user interaction requirements further amplifies the threat, making it easier for attackers to exploit this vulnerability remotely if they can influence the agent's prompts, for example, via compromised dependencies or malicious code contributions.

European organizations should immediately upgrade Roo-Code to version 3.26.0 or later to remediate this vulnerability. Additionally, organizations should audit and restrict the auto-approval settings for file writes within Roo-Code configurations to prevent unauthorized modifications. Implement strict code review and validation processes to detect and block malicious prompt injections or suspicious workspace configuration changes. Employ endpoint protection solutions capable of detecting anomalous task executions triggered by workspace files. Developers should avoid opening untrusted or externally sourced .code-workspace files and consider isolating development environments using containerization or virtual machines to limit the impact of potential compromises. Monitoring and alerting on changes to workspace configuration files can provide early detection of exploitation attempts. Finally, educating developers about the risks of prompt injection and secure configuration practices will reduce the attack surface.