Login Sign Up

CVE-2021-34528

7.8 HIGH
Remote Code Execution

📋 TL;DR

This vulnerability in Visual Studio Code allows remote code execution when a user opens a maliciously crafted file or project. It affects users who open untrusted files in Visual Studio Code, particularly developers working with external codebases.

💻 Affected Systems

Products:
  • Visual Studio Code
Versions: Versions prior to 1.58.2
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All default installations are vulnerable. The vulnerability requires user interaction (opening a malicious file).

📦 What is this software?

Visual Studio Code by Microsoft

View all CVEs affecting Visual Studio Code →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining complete control over the victim's machine, potentially leading to data theft, ransomware deployment, or lateral movement within networks.

🟠

Likely Case

Local privilege escalation or arbitrary code execution in the context of the current user, allowing attackers to steal credentials, install malware, or access sensitive files.

🟢

If Mitigated

Limited impact with proper sandboxing and file validation, potentially only affecting isolated development environments.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction but is relatively straightforward once a malicious file is opened.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.58.2 and later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-34528

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Help > Check for Updates. 3. Install version 1.58.2 or later. 4. Restart Visual Studio Code after installation.

🔧 Temporary Workarounds

Disable automatic file opening

all

Prevent Visual Studio Code from automatically opening files from untrusted sources

Set 'files.autoSave' to 'off' in settings.json
Set 'workbench.editor.enablePreview' to false

Use sandboxed environment

linux

Run Visual Studio Code in a container or VM when working with untrusted files

docker run -it --rm -v $(pwd):/workspace -w /workspace mcr.microsoft.com/vscode/devcontainers/base:ubuntu

🧯 If You Can't Patch

  • Only open files from trusted sources and verify file integrity before opening
  • Use alternative text editors for untrusted files and disable Visual Studio Code extensions

🔍 How to Verify

Check if Vulnerable:

Check Visual Studio Code version in Help > About. If version is earlier than 1.58.2, the system is vulnerable.

Check Version:

code --version

Verify Fix Applied:

Verify version is 1.58.2 or later in Help > About and test opening known safe files.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process spawning from code.exe
  • Suspicious file access patterns in Visual Studio Code logs
  • Unexpected network connections from Visual Studio Code

Network Indicators:

  • Outbound connections to suspicious domains from Visual Studio Code process
  • Unexpected DNS queries for command and control infrastructure

SIEM Query:

process_name:"code.exe" AND (parent_process:!="explorer.exe" OR command_line:"*suspicious*" OR destination_ip:[malicious_ips])

📊 Metadata

CVE ID: CVE-2021-34528
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: July 14, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON