Skip to content

Remote Code Execution Vulnerability

High
chrmarti published GHSA-r6q2-478f-5gmr Sep 12, 2023

Package

No package listed

Affected versions

<1.82.1

Patched versions

1.82.1

Description

A remote code execution vulnerability exists in VS Code 1.82.0 and earlier versions that working in a maliciously crafted package.json can result in executing commands locally. This scenario would require the attacker to get the VS Code user to open the malicious project and have get the user to open and work with malformed entries in the dependencies sections of the package.json file.

VS Code uses the locally installed npm command to fetch information on package dependencies. A package dependency can be named in such a way that the npm tool runs a script instead.

Patches

The fix is available starting with VS Code 1.82.1. The fix (e7b3397) mitigates this attack by turning off the usage of npm in an untrusted workspace and by adding extra input validation when calling the npm command.

Workarounds

Do not work with the dependencies sections in the package.json file that originate from an untrusted source.

References

Severity

High

CVE ID

CVE-2023-36742

Weaknesses

No CWEs