PT-2025-36345 · Robocode+1 · Robocode+1

Thelicato

·

Publicado

2025-09-06

·

Atualizado

2025-09-06

·

CVE-2025-58374

CVSS v3.1

7.8

Alta

VetorAV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Roo Code versions 3.25.23 and below
Description Roo Code is an AI-powered autonomous coding agent. Versions 3.25.23 and below include npm install in a default list of auto-approved commands. Because npm install executes lifecycle scripts, a malicious package.json file with a malicious postinstall script could be executed automatically without user approval, potentially leading to arbitrary code execution.
Recommendations Update to version 3.26.0 or later.

Exploit

Correção

OS Command Injection

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-78

Identificadores relacionados

CVE-2025-58374
GHSA-C292-QXQ4-4P2V

Produtos afetados

Robocode
Npm