Login Sign Up

CVE-2021-28794

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in the unofficial ShellCheck extension for Visual Studio Code allows arbitrary code execution by exploiting mishandling of the shellcheck.executablePath setting. Attackers can execute malicious commands with the privileges of the Visual Studio Code user. Anyone using the affected extension versions is vulnerable.

💻 Affected Systems

Products:
  • vscode-shellcheck (unofficial ShellCheck extension for Visual Studio Code)
Versions: All versions before 0.13.4
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Visual Studio Code installations with the vulnerable extension version installed and enabled.

📦 What is this software?

Shellcheck by Shellcheck Project

View all CVEs affecting Shellcheck →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise through arbitrary code execution, potentially leading to data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to unauthorized access to sensitive files, credentials, or system resources within the user's privilege context.

🟢

If Mitigated

Limited impact if proper application sandboxing, least privilege principles, and network segmentation are implemented.

🌐 Internet-Facing: LOW
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires local access or social engineering to manipulate extension settings.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.13.4

Vendor Advisory: https://github.com/timonwong/vscode-shellcheck/releases/tag/v0.13.4

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Search for 'ShellCheck'. 4. Click Update or reinstall extension. 5. Restart Visual Studio Code.

🔧 Temporary Workarounds

Disable ShellCheck Extension

all

Temporarily disable the vulnerable extension until patching is possible

code --disable-extension timonwong.shellcheck

Remove ShellCheck Extension

all

Uninstall the vulnerable extension completely

code --uninstall-extension timonwong.shellcheck

🧯 If You Can't Patch

  • Run Visual Studio Code with minimal user privileges
  • Implement application control/whitelisting to prevent unauthorized code execution

🔍 How to Verify

Check if Vulnerable:

Check extension version in VS Code Extensions view or run: code --list-extensions --show-versions | findstr shellcheck

Check Version:

code --list-extensions --show-versions | grep shellcheck

Verify Fix Applied:

Verify extension version is 0.13.4 or higher in Extensions view

📡 Detection & Monitoring

Log Indicators:

  • Unusual shellcheck process execution patterns
  • Modifications to shellcheck.executablePath setting

Network Indicators:

  • Unexpected outbound connections from Visual Studio Code process

SIEM Query:

Process Creation where Image contains 'shellcheck' OR CommandLine contains 'shellcheck.executablePath'

📊 Metadata

CVE ID: CVE-2021-28794
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: March 18, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON