Name of the Vulnerable Software and Affected Versions:

Roo Code versions 3.25.23 and below

Description:

Roo Code is an AI-powered autonomous coding agent. Versions 3.25.23 and below include `npm install` in a default list of auto-approved commands. Because `npm install` executes lifecycle scripts, a malicious `package.json` file with a malicious `postinstall` script could be executed automatically without user approval, potentially leading to arbitrary code execution.

Recommendations:

Update to version 3.26.0 or later.