It is a security issue, but not one with Roundcube specifically.
You do not need to chmod to 777, simply chown the directories to the user that your server runs under.
Typically for Apache this is "nobody" (an actual user called nobody)
Personally, I'd chmod 755, and chown nobody:nobody. You could make it more secure still.