CVE-2020-17023

7.8 HIGH

Remote Code Execution

📋 TL;DR

This CVE describes a remote code execution vulnerability in Visual Studio Code where opening a malicious package.json file allows arbitrary code execution. It affects Visual Studio Code users who open untrusted repositories. The attacker needs to trick users into cloning and opening malicious content.

💻 Affected Systems

Products:

• Visual Studio Code

Versions: Versions prior to the fix (specific version not specified in CVE description)

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: All Visual Studio Code installations are vulnerable before patching. Requires user to open malicious package.json file.

📦 What is this software?

Visual Studio Code by Microsoft

View all CVEs affecting Visual Studio Code →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with administrative privileges, allowing attacker to install malware, steal data, create accounts, and maintain persistence.

🟠

Likely Case

Limited user account compromise leading to data theft, lateral movement within the network, and potential privilege escalation.

🟢

If Mitigated

No impact if patch applied or if users don't open untrusted package.json files in Visual Studio Code.

🌐 Internet-Facing: MEDIUM - Requires user interaction (opening malicious file) but can be delivered via phishing or compromised repositories.

🏢 Internal Only: MEDIUM - Internal users could be targeted via internal repositories or social engineering.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Requires social engineering to trick user into opening malicious file. No authentication bypass needed but requires user interaction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Visual Studio Code version with fix (specific version not provided in CVE description)

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17023

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Help > Check for Updates. 3. Install the latest update. 4. Restart Visual Studio Code.

🔧 Temporary Workarounds

Avoid opening untrusted package.json files

all

Do not open package.json files from untrusted sources in Visual Studio Code

Use alternative text editor for untrusted JSON

all

Open suspicious package.json files in a basic text editor instead of Visual Studio Code

🧯 If You Can't Patch

• Implement application whitelisting to prevent execution of unauthorized code
• Restrict user privileges to limit impact if exploitation occurs

🔍 How to Verify

Check if Vulnerable:

Copy

Check Visual Studio Code version - if not updated after vulnerability disclosure (November 2020), assume vulnerable

Check Version:

Copy

code --version (on command line) or check About in Visual Studio Code menu

Verify Fix Applied:

Copy

Verify Visual Studio Code is updated to latest version and no longer vulnerable to CVE-2020-17023

📡 Detection & Monitoring

Log Indicators:

• Unusual process execution from Visual Studio Code
• Suspicious file opens of package.json files

Network Indicators:

• Downloads from untrusted repositories followed by Visual Studio Code activity

SIEM Query:

Copy

Process creation where parent process is 'code.exe' and command line contains suspicious patterns

📊 Metadata

CVE ID: CVE-2020-17023

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Published: October 16, 2020

Last Updated: February 23, 2026

🔗 References

• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17023 Patch,Vendor Advisory
• https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17023 Patch,Vendor Advisory

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON