2 matches found
CVE-2025-58374 Roo Code: Auto-approve allows npm install execution of malicious postinstall scripts
Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Versions 3.25.23 and below contain a default list of allowed commands that do not need manual approval if auto-approve is enabled, and npm install is included in that list. Because npm install executes lifecycle...
GHSA-4PC9-X2FX-P7VJ @cloudflare/workers-oauth-provider missing validation of redirect_uri on authorize endpoint
Summary The OAuth implementation failed to check that redirecturi was among the allowed set for the clientid. Impact Under certain circumstances see below, if a victim had previously authorized with a server built on workers-oath-provider, and an attacker could later trick the victim into visitin...