Login Sign Up

CVE-2021-28789

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in the unofficial apple/swift-format Visual Studio Code extension allows remote attackers to execute arbitrary code by tricking users into opening a malicious workspace. Attackers can craft a workspace configuration that triggers code execution when the workspace loads. Users of Visual Studio Code with this extension installed are affected.

💻 Affected Systems

Products:
  • vscode-apple-swift-format (unofficial Visual Studio Code extension)
Versions: All versions before 1.1.2
Operating Systems: All platforms where Visual Studio Code runs (Windows, macOS, Linux)
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects users who have installed this specific unofficial extension. The vulnerability is triggered when opening a malicious workspace file.

📦 What is this software?

Apple Swift Format by Apple Swift Format Project

View all CVEs affecting Apple Swift Format →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the victim's development environment and potentially the underlying system.

🟠

Likely Case

Attacker executes malicious code in the context of the Visual Studio Code user, potentially stealing credentials, accessing source code, or installing additional malware.

🟢

If Mitigated

No impact if extension is updated or removed, or if users only open trusted workspaces.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening a malicious workspace). The attack vector is through crafted workspace configuration files.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.1.2

Vendor Advisory: https://github.com/vknabel/vscode-apple-swift-format/releases/tag/1.1.2

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Search for 'apple/swift-format'. 4. Click Update or reinstall the extension. 5. Restart Visual Studio Code.

🔧 Temporary Workarounds

Remove vulnerable extension

all

Uninstall the vulnerable extension completely

code --uninstall-extension vknabel.vscode-apple-swift-format

Disable automatic workspace loading

all

Configure VS Code to not automatically load workspace settings

🧯 If You Can't Patch

  • Avoid opening untrusted workspace files or projects
  • Use Visual Studio Code in a sandboxed environment

🔍 How to Verify

Check if Vulnerable:

Check extension version in VS Code Extensions view. Look for 'apple/swift-format' extension version.

Check Version:

code --list-extensions --show-versions | grep vscode-apple-swift-format

Verify Fix Applied:

Verify extension version is 1.1.2 or higher in Extensions view.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from VS Code extension context
  • Workspace configuration loading errors

Network Indicators:

  • Unexpected outbound connections from VS Code process

SIEM Query:

process.name:vscode AND process.cmd_line:*apple-swift-format* AND event.action:exec

📊 Metadata

CVE ID: CVE-2021-28789
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: March 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON