Login Sign Up

CVE-2021-30124

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on systems running the unofficial vscode-phpmd extension for Visual Studio Code. Attackers can exploit a crafted phpmd.command value in workspace folders to achieve remote code execution. Users of Visual Studio Code with the vulnerable extension installed are affected.

💻 Affected Systems

Products:
  • vscode-phpmd (unofficial PHP Mess Detector extension for Visual Studio Code)
Versions: All versions before 1.3.0
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Visual Studio Code with the vulnerable extension installed and workspace folder usage.

📦 What is this software?

Vscode Phpmd by Vscode Phpmd Project

View all CVEs affecting Vscode Phpmd →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control over the developer's machine, potentially leading to data theft, lateral movement, or ransomware deployment.

🟠

Likely Case

Attackers execute malicious code within the developer's environment, potentially stealing source code, credentials, or installing backdoors.

🟢

If Mitigated

Limited impact with proper network segmentation and least privilege controls, potentially isolated to the user's development environment.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the attacker to control or influence the phpmd.command value in workspace settings.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.0 and later

Vendor Advisory: https://github.com/sandhje/vscode-phpmd/commit/c462bf5c6f0160d0199855d5f8ed76be8d9beac0

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Extensions view. 3. Search for 'vscode-phpmd'. 4. Click Update or reinstall to get version 1.3.0+. 5. Restart Visual Studio Code.

🔧 Temporary Workarounds

Disable extension

all

Temporarily disable the vscode-phpmd extension until patched

code --disable-extension ecodes.vscode-phpmd

Remove extension

all

Uninstall the vulnerable extension completely

code --uninstall-extension ecodes.vscode-phpmd

🧯 If You Can't Patch

  • Restrict workspace folder access to trusted sources only
  • Implement network segmentation to isolate development environments

🔍 How to Verify

Check if Vulnerable:

Check extension version in VS Code Extensions view or run: code --list-extensions --show-versions | grep vscode-phpmd

Check Version:

code --list-extensions --show-versions | grep vscode-phpmd

Verify Fix Applied:

Verify installed version is 1.3.0 or higher using same command

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution from vscode-phpmd extension
  • Suspicious phpmd.command values in workspace settings

Network Indicators:

  • Unexpected outbound connections from VS Code process

SIEM Query:

process_name:vscode AND command_line:*phpmd.command*

📊 Metadata

CVE ID: CVE-2021-30124
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: July 30, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON