CVE-2021-28791 – This vulnerability in the unofficial SwiftForma... (How to Fix)

Q: What is the severity of CVE-2021-28791?

CVE-2021-28791 has a CVSS score of 7.8 (HIGH). This vulnerability in the unofficial SwiftFormat extension for Visual Studio Code allows remote attackers to execute arbitrary code by tricking users into opening a malicious workspace. Attackers can craft a swiftformat.path configuration value that triggers code execution upon workspace opening. Users of Visual Studio Code with the vulnerable SwiftFormat extension are affected.

📋 TL;DR

This vulnerability in the unofficial SwiftFormat extension for Visual Studio Code allows remote attackers to execute arbitrary code by tricking users into opening a malicious workspace. Attackers can craft a swiftformat.path configuration value that triggers code execution upon workspace opening. Users of Visual Studio Code with the vulnerable SwiftFormat extension are affected.

💻 Affected Systems

Products:

vscode-swiftformat (unofficial SwiftFormat extension for Visual Studio Code)

Versions: All versions before 1.3.7

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires Visual Studio Code with the vulnerable extension installed; exploitation requires user interaction to open malicious workspace.

📦 What is this software?

Swiftformat by Swiftformat Project

View all CVEs affecting Swiftformat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's machine, allowing data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Attackers execute malicious code in the context of the current user, potentially stealing credentials, accessing sensitive files, or installing backdoors.

🟢

If Mitigated

No impact if extension is patched or workarounds are implemented; limited to user-level access if proper security controls restrict privilege escalation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to get victim to open malicious workspace; no authentication bypass needed beyond user interaction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.7

Vendor Advisory: https://github.com/vknabel/vscode-swiftformat/releases/tag/1.3.7

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Search for 'SwiftFormat'. 4. Click Update button or uninstall/reinstall to version 1.3.7+. 5. Restart Visual Studio Code.

🔧 Temporary Workarounds

Disable SwiftFormat Extension

all

Temporarily disable the vulnerable extension until patching is possible.

code --disable-extension vknabel.vscode-swiftformat

Restrict Workspace Opening

all

Only open workspaces from trusted sources; avoid opening unknown .code-workspace files.

🧯 If You Can't Patch

Uninstall the SwiftFormat extension completely from Visual Studio Code
Implement application whitelisting to prevent execution of unauthorized binaries

🔍 How to Verify

Check if Vulnerable:

Check extension version in VS Code Extensions view; if version is below 1.3.7, you are vulnerable.

Check Version:

code --list-extensions --show-versions | grep vknabel.vscode-swiftformat

Verify Fix Applied:

Confirm extension version shows 1.3.7 or higher in Extensions view after update.

📡 Detection & Monitoring

Log Indicators:

Unusual process execution from VS Code extension directory
SwiftFormat extension loading unexpected executables

Network Indicators:

Outbound connections from VS Code process to suspicious domains

SIEM Query:

process where parent_process_name contains 'code' and process_name not in ('node', 'git', known_benign)

📊 Metadata

CVE ID: CVE-2021-28791

CVSS v3 Score: 7.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-863

Published: March 18, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/vknabel/vscode-swiftformat/releases/tag/1.3.7 Release Notes,Third Party Advisory
https://vuln.ryotak.me/advisories/13 Third Party Advisory
https://github.com/vknabel/vscode-swiftformat/releases/tag/1.3.7 Release Notes,Third Party Advisory
https://vuln.ryotak.me/advisories/13 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28791, you might also want to check these: