A remote code execution vulnerability exists in VS Code 1.67.0 and earlier versions where opening a maliciously crafted URL intended for the "clone git repository from a URL" feature can result in executing commands locally. This scenario would require the attacker to get the VS Code user to open the malicious URL and then confirm opening it in the prompt shown by VS Code.
Patches
The fix is available starting with VS Code 1.67.1. The fix (c5da533) mitigates this attack by performing input validation on the URL pointing to the repository to be cloned.
Workarounds
Do not open vscode:// URLs that originate from an untrusted source. Do not confirm opening untrusted URLs in VS Code.
References
A remote code execution vulnerability exists in VS Code 1.67.0 and earlier versions where opening a maliciously crafted URL intended for the "clone git repository from a URL" feature can result in executing commands locally. This scenario would require the attacker to get the VS Code user to open the malicious URL and then confirm opening it in the prompt shown by VS Code.
Patches
The fix is available starting with VS Code 1.67.1. The fix (c5da533) mitigates this attack by performing input validation on the URL pointing to the repository to be cloned.
Workarounds
Do not open
vscode://URLs that originate from an untrusted source. Do not confirm opening untrusted URLs in VS Code.References