A remote code execution vulnerability exists in VS Code 1.82.0 and earlier versions that working in a maliciously crafted package.json can result in executing commands locally. This scenario would require the attacker to get the VS Code user to open the malicious project and have get the user to open and work with malformed entries in the dependencies sections of the package.json file.
VS Code uses the locally installed npm command to fetch information on package dependencies. A package dependency can be named in such a way that the npm tool runs a script instead.
Patches
The fix is available starting with VS Code 1.82.1. The fix (e7b3397) mitigates this attack by turning off the usage of npm in an untrusted workspace and by adding extra input validation when calling the npm command.
Workarounds
Do not work with the dependencies sections in the package.json file that originate from an untrusted source.
References
A remote code execution vulnerability exists in VS Code 1.82.0 and earlier versions that working in a maliciously crafted
package.jsoncan result in executing commands locally. This scenario would require the attacker to get the VS Code user to open the malicious project and have get the user to open and work with malformed entries in the dependencies sections of thepackage.jsonfile.VS Code uses the locally installed
npmcommand to fetch information on package dependencies. A package dependency can be named in such a way that thenpmtool runs a script instead.Patches
The fix is available starting with VS Code 1.82.1. The fix (e7b3397) mitigates this attack by turning off the usage of
npmin an untrusted workspace and by adding extra input validation when calling the npm command.Workarounds
Do not work with the dependencies sections in the
package.jsonfile that originate from an untrusted source.References