Visual Studio Code RCE Vulnerability (CVE-2023-36742): Public PoC Exploit Revealed

November 22, 2023

Researchers have unveiled the specifics of a remote code execution vulnerability (CVE-2023-36742, CVSS score of 7.8) in Visual Studio Code, along with a public proof-of-concept (PoC) exploit. The vulnerability is present in VS Code versions 1.82.0 and earlier and is triggered when interacting with a maliciously created package.json file, leading to local command execution.

The attack scenario involves an attacker convincing a VS Code user to open a malevolent project and interact with tampered entries in the dependencies sections of the package.json file. VS Code uses the locally installed npm command to gather data about package dependencies. In this vulnerability, a package dependency can be altered in a way that the npm tool unintentionally runs a script.

A solution to this issue is available from VS Code 1.82.1 onwards. The patch (referred to as e7b3397) thwarts this type of attack by deactivating the use of npm in untrusted workspaces and adding extra input validation when running the npm command. It also recommends not interacting with the dependencies sections in the package.json file sourced from untrusted origins.

Thomas Chauchefoin and Paul Gerste from SonarSource have disclosed the technical details for CVE-2023-36742 and a public PoC exploit. This PoC shows how the vulnerability can be exploited to run arbitrary code on a compromised system. “The most fascinating aspect was exploiting NPM’s option to alter its global configuration, –globalconfig,” the researchers explain in their technical documentation. They outline a scenario where a random configuration from a local file named description, part of the malicious project, is loaded: npm view –json –globalconfig description dist-tags.latest homepage version time.

This method, despite not considering the limitations of newer NPM versions or other platforms, demonstrates the potential for using such vulnerabilities to run arbitrary commands in untrusted workspaces. To highlight the seriousness and practicality of this vulnerability, the researchers shared a video showing how this flaw in Visual Studio Code can be exploited. This visual demonstration not only showcases the vulnerability but also serves as a stern warning to the developer community.

While the researchers acknowledge that the exploit may not be applicable in more recent versions of NPM and other platforms, it highlights the potential for remote code execution attacks in untrusted workspaces. Users are strongly urged to upgrade to the latest version of VS Code (1.82.1 or later) and to be careful when opening projects from untrusted sources.

Latest News

Like what you see?

Get a digest of headlines, vulnerabilities, risk context, and more delivered to your inbox.

Subscribe Below

By submitting this form, you’re giving us permission to email you. You may unsubscribe at any time.

Accelerate Security Teams

Continuously identify and prioritize the risks that are most critical in your environment, and validate that your remediation efforts are reducing risk. An always-on single source-of-truth of your assets, services, and vulnerabilities.