VSCode

Breaking Out of Restricted Mode: XSS to RCE in Visual Studio Code

by

Author: Devesh Logendran (STAR Labs SG) Published: May 14, 2025 Source: https://starlabs.sg/blog/2025/05-breaking-out-of-restricted-mode-xss-to-rce-in-visual-studio-code/ Summary STAR Labs detailed a cross-site scripting flaw in Visual Studio Code’s Jupyter notebook error rendering that can be chained into full remote code execution. A crafted .ipynb file triggers unsanitized HTML in the “minimal error” renderer, executing JavaScript inside a VS Code … Read more

Visual Studio Code: Remote Code Execution (CVE-2022-41034)

by

Author: Zemnmez (@Zemnmez), Google Security Research Published: December 1, 2022 Source: https://github.com/google/security-research/security/advisories/GHSA-pw56-c55x-cm9m Summary Google Security Research disclosed a critical remote code execution vulnerability (CVE-2022-41034) in Microsoft Visual Studio Code. By luring a victim into clicking a crafted link, an attacker could cause VS Code to open a remote Jupyter Notebook in a trusted context, abuse … Read more

Securing Developer Tools: Git Integrations

by

Author: Thomas Chauchefoin (Vulnerability Researcher, Sonar) Published: March 15, 2022 Source: https://www.sonarsource.com/blog/securing-developer-tools-git-integrations/ Summary Sonar’s research team showed how a malicious Git repository can achieve arbitrary code execution simply by being opened in a developer tool or navigated to in a terminal. The trick abuses Git’s per-repository .git/config and its core.fsmonitor directive, which Git runs as … Read more

Securing Developer Tools: Argument Injection in Visual Studio Code

by

Author: Thomas Chauchefoin (Vulnerability Researcher, Sonar) Published: August 23, 2022 Source: https://www.sonarsource.com/blog/securing-developer-tools-argument-injection-in-vscode/ Summary Sonar’s research team disclosed an argument injection vulnerability (CVE-2022-30129) in Visual Studio Code’s built-in Git integration. By luring a developer into clicking a crafted vscode:// URI, an attacker could smuggle dash-prefixed options into the underlying git command line and achieve arbitrary command … Read more

VSCode Remote Code Execution advisory

by

Author: Ammar Askar Published: May 30, 2023 Source: http://blog.ammaraskar.com/vscode-rce/ Summary Security researcher Ammar Askar disclosed a remote code execution vulnerability in Visual Studio Code that could be triggered simply by opening an untrusted folder. The flaw stemmed from an undocumented core setting, _workbench.experimentsUrl, which was never registered as a “restricted” configuration. Because of this oversight, … Read more

1-Click GitHub Token Stealing via a VSCode Bug

by

Author: Ammar Askar Published: June 2, 2026 Source: https://blog.ammaraskar.com/github-token-stealing/ Summary A security researcher discovered a critical vulnerability in VSCode’s webview security model that allows an attacker to steal a victim’s GitHub authentication token — which carries full access to all of their repositories — through a single malicious link. The attack targets github.dev, GitHub’s browser-based … Read more