Login Sign Up

CVE-2021-30502

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This vulnerability in the unofficial vscode-ghc-simple extension for Visual Studio Code allows remote code execution when a user opens a malicious workspace configuration file. Attackers can craft a workspace with a specially crafted replCommand parameter that executes arbitrary code on the victim's system. Anyone using affected versions of this Visual Studio Code extension is vulnerable.

💻 Affected Systems

Products:
  • vscode-ghc-simple (Simple Glasgow Haskell Compiler extension for Visual Studio Code)
Versions: All versions before 0.2.3
Operating Systems: Windows, Linux, macOS
Default Config Vulnerable: ⚠️ Yes
Notes: Requires Visual Studio Code with the vulnerable extension installed. Exploitation requires user interaction to open a malicious workspace file.

📦 What is this software?

Simple Glasgow Haskell Compiler by Simple Glasgow Haskell Compiler Project

View all CVEs affecting Simple Glasgow Haskell Compiler →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise allowing attackers to execute arbitrary commands with the user's privileges, potentially leading to data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Attackers trick users into opening malicious workspace files, leading to execution of malicious code that could steal credentials, install malware, or compromise development environments.

🟢

If Mitigated

With proper security controls, impact is limited to the user's local environment without network propagation or access to sensitive systems.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction to open a malicious workspace file. The vulnerability is well-documented with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.2.3

Vendor Advisory: https://github.com/dramforever/vscode-ghc-simple/blob/master/CHANGELOG.md#v023

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Search for 'vscode-ghc-simple'. 4. Click Update or reinstall extension. 5. Restart Visual Studio Code.

🔧 Temporary Workarounds

Disable extension

all

Temporarily disable the vulnerable extension until patched

code --disable-extension dramforever.vscode-ghc-simple

Remove extension

all

Uninstall the vulnerable extension completely

code --uninstall-extension dramforever.vscode-ghc-simple

🧯 If You Can't Patch

  • Avoid opening untrusted workspace configuration files
  • Use Visual Studio Code in restricted mode or with limited permissions

🔍 How to Verify

Check if Vulnerable:

Check extension version in Visual Studio Code Extensions view or run: code --list-extensions --show-versions | grep vscode-ghc-simple

Check Version:

code --list-extensions --show-versions | grep vscode-ghc-simple

Verify Fix Applied:

Verify extension version is 0.2.3 or higher using: code --list-extensions --show-versions | grep vscode-ghc-simple

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from Visual Studio Code
  • Suspicious command execution in terminal with replCommand patterns

Network Indicators:

  • Unexpected outbound connections from Visual Studio Code process

SIEM Query:

process_name:"code" AND cmdline:"replCommand"

📊 Metadata

CVE ID: CVE-2021-30502
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Published: April 25, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON