CVE-2025-58371 – CVE-2025-58371 is a critical vulnerability in R... (How to Fix)

Q: What is the severity of CVE-2025-58371?

CVE-2025-58371 has a CVSS score of 9.8 (CRITICAL). CVE-2025-58371 is a critical vulnerability in Roo Code versions 3.26.6 and below that allows remote code execution on GitHub Actions runners. Attackers can craft malicious pull request metadata to execute arbitrary commands, potentially compromising repositories, stealing secrets, and modifying code. This affects all users running vulnerable versions of Roo Code in GitHub workflows.

📋 TL;DR

CVE-2025-58371 is a critical vulnerability in Roo Code versions 3.26.6 and below that allows remote code execution on GitHub Actions runners. Attackers can craft malicious pull request metadata to execute arbitrary commands, potentially compromising repositories, stealing secrets, and modifying code. This affects all users running vulnerable versions of Roo Code in GitHub workflows.

💻 Affected Systems

Products:

Roo Code

Versions: 3.26.6 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects GitHub Actions workflows using Roo Code; requires pull request trigger.

📦 What is this software?

Roo Code by Roocode

View all CVEs affecting Roo Code →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the repository including code modification, secret exfiltration, malicious package/release creation, and lateral movement to connected systems.

🟠

Likely Case

Unauthorized code execution leading to repository tampering, secret theft, and potential supply chain attacks through malicious releases.

🟢

If Mitigated

Limited impact if workflow permissions are restricted and input validation is implemented, though some risk remains.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires ability to create or influence pull requests; GitHub advisory provides technical details.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.26.7

Vendor Advisory: https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-xr6r-vj48-29f6

Restart Required: No

Instructions:

1. Update Roo Code to version 3.26.7 or higher. 2. Review and update GitHub Actions workflows to use the patched version. 3. Rotate any potentially exposed repository secrets.

🔧 Temporary Workarounds

Disable vulnerable workflows

all

Temporarily disable GitHub Actions workflows using Roo Code until patched.

Restrict workflow permissions

all

Limit GitHub Actions permissions to read-only where possible.

🧯 If You Can't Patch

Implement strict pull request review processes to prevent malicious input
Isolate GitHub Actions runners from sensitive systems and implement network segmentation

🔍 How to Verify

Check if Vulnerable:

Check Roo Code version in GitHub Actions workflow files; versions ≤3.26.6 are vulnerable.

Check Version:

Check package.json or workflow YAML files for Roo Code version specification.

Verify Fix Applied:

Confirm Roo Code version is ≥3.26.7 in workflow files and verify workflow execution logs show no unexpected commands.

📡 Detection & Monitoring

Log Indicators:

Unexpected commands in GitHub Actions runner logs
Unauthorized repository modifications
Suspicious secret access patterns

Network Indicators:

Unusual outbound connections from GitHub Actions runners
Unexpected package downloads during workflow execution

SIEM Query:

source="github-actions" AND (command_execution="*" OR repository_modification="*")

📊 Metadata

CVE ID: CVE-2025-58371

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-78

EPSS Score: 0.24% exploit probability (46.7th percentile)

Published: September 5, 2025

Last Updated: September 15, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-58371, you might also want to check these: