Login Sign Up

CVE-2021-29261

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in the unofficial Svelte extension for Visual Studio Code allows attackers to execute arbitrary code by tricking users into opening a malicious workspace configuration. It affects developers using the Svelte extension in VS Code with versions before 104.8.0.

💻 Affected Systems

Products:
  • Svelte for VS Code (unofficial extension)
Versions: All versions before 104.8.0
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Visual Studio Code with the Svelte extension installed. Requires user to open a crafted workspace configuration.

📦 What is this software?

Svelte by Svelte

View all CVEs affecting Svelte →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the developer's machine, potentially leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Attacker executes malicious code in the context of the VS Code process, potentially stealing source code, credentials, or installing backdoors.

🟢

If Mitigated

Limited impact if extension is updated promptly and users avoid opening untrusted workspace configurations.

🌐 Internet-Facing: LOW - Requires user interaction with malicious workspace files, not directly internet-exposed.
🏢 Internal Only: MEDIUM - Developers could be tricked into opening malicious workspace configurations from internal sources.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires social engineering to get user to open malicious workspace configuration. No authentication bypass needed once user interacts with the file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 104.8.0

Vendor Advisory: https://github.com/sveltejs/language-tools/releases/tag/extensions-104.8.0

Restart Required: Yes

Instructions:

1. Open VS Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Find 'Svelte for VS Code'. 4. Click Update button or uninstall/reinstall. 5. Restart VS Code.

🔧 Temporary Workarounds

Disable Svelte Extension

all

Temporarily disable the vulnerable extension until patched

code --disable-extension svelte.svelte-vscode

Avoid Untrusted Workspaces

all

Do not open workspace configurations from untrusted sources

🧯 If You Can't Patch

  • Disable the Svelte extension completely in VS Code
  • Implement strict policies against opening workspace files from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check extension version in VS Code: Extensions view → Svelte for VS Code → check version number

Check Version:

code --list-extensions --show-versions | grep svelte

Verify Fix Applied:

Verify extension version is 104.8.0 or higher in VS Code Extensions view

📡 Detection & Monitoring

Log Indicators:

  • VS Code extension loading errors
  • Unusual workspace configuration file access

Network Indicators:

  • Unusual outbound connections from VS Code process

SIEM Query:

process_name:vscode AND (process_cmdline:*svelte* OR file_path:*workspace*)

📊 Metadata

CVE ID: CVE-2021-29261
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: April 5, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON