Login Sign Up

CVE-2021-28793

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-28793 is an incorrect access control vulnerability in the vscode-restructuredtext extension for Visual Studio Code. It allows arbitrary binary execution via crafted workspace configurations when opening malicious project folders. Users of the affected extension versions are vulnerable.

💻 Affected Systems

Products:
  • vscode-restructuredtext Visual Studio Code extension
Versions: All versions before 146.0.0
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Visual Studio Code with the vulnerable extension installed. Exploitation requires opening a malicious project folder.

📦 What is this software?

Restructuredtext by Lextudio

View all CVEs affecting Restructuredtext →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Local privilege escalation or execution of malicious payloads when users open untrusted project folders containing crafted workspace configurations.

🟢

If Mitigated

No impact if extension is updated or if users only open trusted project folders from verified sources.

🌐 Internet-Facing: LOW - This requires local access or user interaction with malicious project files.
🏢 Internal Only: MEDIUM - Internal developers could be targeted via shared malicious project repositories or compromised development environments.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening malicious project folder). Proof of concept details are publicly available in vulnerability reports.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 147.0.0

Vendor Advisory: https://github.com/vscode-restructuredtext/vscode-restructuredtext/releases/tag/147.0.0

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Search for 'reStructuredText'. 4. Click Update or reinstall extension. 5. Restart VS Code.

🔧 Temporary Workarounds

Disable extension

all

Temporarily disable the vscode-restructuredtext extension until patched.

code --disable-extension lextudio.restructuredtext

Restrict project sources

all

Only open project folders from trusted sources and verified repositories.

🧯 If You Can't Patch

  • Implement application allowlisting to restrict execution of unauthorized binaries
  • Use sandboxed development environments or containers for untrusted projects

🔍 How to Verify

Check if Vulnerable:

Check extension version in VS Code Extensions view. If version is below 146.0.0, you are vulnerable.

Check Version:

code --list-extensions --show-versions | findstr restructuredtext

Verify Fix Applied:

Verify extension version is 147.0.0 or higher in Extensions view.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected binary execution from VS Code process
  • Workspace configuration files with suspicious commands

Network Indicators:

  • Outbound connections from VS Code to unexpected destinations

SIEM Query:

process_name:vscode AND (process_command_line:*restructuredtext* OR parent_process:vscode)

📊 Metadata

CVE ID: CVE-2021-28793
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-863
Published: April 20, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28793, you might also want to check these:

CVE-2023-4617 10.0

This vulnerability allows remote attackers to bypass authorization controls in the Govee Home mobile...

Same vulnerability type (CWE-863)
CVE-2025-54253 10.0

CVE-2025-54253 is a critical misconfiguration vulnerability in Adobe Experience Manager Forms that a...

Same vulnerability type (CWE-863)
CVE-2021-38503 10.0

This vulnerability allows malicious iframes to bypass sandbox restrictions when loading XSLT stylesh...

Same vulnerability type (CWE-863)