CVE-2025-58373

Published: Sep 5, 2025

Modified: Sep 8, 2025

PUBLISHED

CVSS v3.1

5.5

MEDIUM

Description

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a vulnerability where .rooignore protections could be bypassed using symlinks. This allows an attacker with write access to the workspace to trick the extension into reading files that were intended to be excluded. As a result, sensitive files such as .env or configuration files could be exposed. An attacker able to modify files within the workspace could gain unauthorized access to sensitive information by bypassing .rooignore rules. This could include secrets, configuration details, or other excluded project data. This is fixed in version 3.26.0.

Vendor	Product	Versions
RooCodeInc	Roo-Code	affected `< 3.26.0`

Weaknesses (CWE)

CWE-59

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Attack Vector

Local

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/RooCodeInc/Roo-Code/security/advisories/GHSA-p76r-7mc3-qh7c

x_refsource_CONFIRM

https://github.com/RooCodeInc/Roo-Code/pull/7405

x_refsource_MISC

https://github.com/RooCodeInc/Roo-Code/releases/tag/v3.26.0

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-58373

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References