CVE-2025-58374 is a high-severity OS command injection vulnerability affecting Roo-Code, an AI-powered autonomous coding agent integrated within users' code editors. The vulnerability exists in versions prior to 3.26.0, where the application maintains a default list of commands that can be auto-approved without manual user consent if the auto-approve feature is enabled. Among these commands is 'npm install', which is particularly risky because it executes lifecycle scripts defined in a repository's package.json file, including potentially malicious postinstall scripts. An attacker who crafts a malicious repository with a harmful postinstall script can exploit this vulnerability by tricking a user into opening the repository with Roo-Code configured to auto-approve commands. This results in arbitrary code execution on the user's machine without explicit approval, compromising confidentiality, integrity, and availability. The vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), indicating that special characters or commands are not properly sanitized before execution. The CVSS v3.1 base score is 7.8, reflecting high severity due to local attack vector, low attack complexity, no privileges required, but requiring user interaction (opening a malicious repo). The vulnerability affects the integrity and confidentiality of the system by allowing arbitrary code execution and potentially full system compromise. The issue was addressed and fixed in Roo-Code version 3.26.0.

For European organizations, this vulnerability poses a significant risk especially to development teams and environments where Roo-Code is used to automate coding tasks. Since the attack requires opening a malicious repository, the threat vector is primarily through supply chain attacks or social engineering targeting developers. Successful exploitation could lead to unauthorized code execution, data theft, insertion of backdoors, or disruption of development workflows. This could compromise sensitive intellectual property, customer data, and internal systems. Given the widespread use of Node.js and npm in European software development, and the increasing adoption of AI coding assistants, the vulnerability could affect a broad range of organizations, from startups to large enterprises. The risk is heightened in environments where auto-approve is enabled for convenience, potentially bypassing security controls. Additionally, the vulnerability could be leveraged to pivot into corporate networks, escalating the impact beyond individual developer machines. The lack of known exploits in the wild currently reduces immediate risk but does not diminish the potential impact if weaponized.

European organizations should immediately upgrade Roo-Code to version 3.26.0 or later to remediate this vulnerability. Until the upgrade is applied, it is critical to disable the auto-approve feature for commands, especially those involving 'npm install' or other commands that execute lifecycle scripts. Developers should be trained to avoid opening untrusted repositories and to scrutinize package.json scripts for suspicious postinstall or lifecycle commands. Implementing endpoint protection with behavioral detection can help identify anomalous script executions. Organizations should also enforce strict code repository policies, including scanning dependencies and scripts for malicious content before use. Integrating static and dynamic analysis tools in CI/CD pipelines can detect potential malicious scripts early. Network segmentation and least privilege principles should be applied to limit the impact of any compromise. Finally, monitoring logs for unexpected npm lifecycle script executions can provide early indicators of exploitation attempts.