Login Sign Up

CVE-2020-0604

7.8 HIGH
Remote Code Execution

📋 TL;DR

A remote code execution vulnerability in Visual Studio Code allows attackers to run arbitrary code when users open malicious repositories and use the integrated terminal. This affects all Visual Studio Code users who clone and open untrusted repositories. The vulnerability exploits improper handling of environment variables during project initialization.

💻 Affected Systems

Products:
  • Visual Studio Code
Versions: All versions before 1.41.1
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is present in default installations when users open projects with integrated terminal.

📦 What is this software?

Visual Studio Code by Microsoft

View all CVEs affecting Visual Studio Code →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with administrative privileges, allowing attackers to install malware, steal data, create backdoors, and pivot to other systems.

🟠

Likely Case

Attacker gains user-level access to execute code, potentially stealing credentials, accessing sensitive files, and establishing persistence on the compromised machine.

🟢

If Mitigated

Limited impact with proper user training, restricted repository sources, and running Visual Studio Code with minimal privileges.

🌐 Internet-Facing: MEDIUM - Requires user interaction (cloning and opening repository) but can be delivered via phishing or malicious links.
🏢 Internal Only: LOW - Requires specific user actions and is not automatically exploitable across networks.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires social engineering to convince users to clone and open malicious repositories.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.41.1 and later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0604

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Help > Check for Updates. 3. Install update to version 1.41.1 or later. 4. Restart Visual Studio Code.

🔧 Temporary Workarounds

Disable Integrated Terminal

all

Prevent exploitation by disabling the integrated terminal feature.

Add "terminal.integrated.enabled": false to settings.json

Restrict Repository Sources

all

Only clone and open repositories from trusted sources.

🧯 If You Can't Patch

  • Run Visual Studio Code with limited user privileges (not as administrator)
  • Implement application whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check Visual Studio Code version in Help > About. If version is earlier than 1.41.1, system is vulnerable.

Check Version:

code --version

Verify Fix Applied:

Confirm version is 1.41.1 or later in Help > About and test that integrated terminal functions normally.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from Visual Studio Code terminal
  • Suspicious environment variable modifications

Network Indicators:

  • Unexpected outbound connections from Visual Studio Code process

SIEM Query:

Process Creation where Parent Process Name contains "Code.exe" and Command Line contains suspicious patterns

📊 Metadata

CVE ID: CVE-2020-0604
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Published: August 17, 2020
Last Updated: February 23, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON