Login Sign Up

CVE-2021-43891

7.8 HIGH
Remote Code Execution

📋 TL;DR

CVE-2021-43891 is a remote code execution vulnerability in Visual Studio Code that allows attackers to execute arbitrary code by tricking users into opening malicious workspace files. This affects users who open untrusted workspace files in Visual Studio Code. The vulnerability requires user interaction but can lead to full system compromise.

💻 Affected Systems

Products:
  • Visual Studio Code
Versions: All versions prior to 1.63.2
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: All Visual Studio Code installations are vulnerable by default if using affected versions.

📦 What is this software?

Visual Studio Code by Microsoft

View all CVEs affecting Visual Studio Code →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the victim's machine, data theft, lateral movement, and persistence establishment.

🟠

Likely Case

Local privilege escalation leading to unauthorized access to sensitive files, credentials, and system resources on the affected machine.

🟢

If Mitigated

Limited impact with proper user training and security controls preventing execution of malicious workspace files.

🌐 Internet-Facing: LOW - Requires user interaction and opening malicious files, not directly exploitable over network.
🏢 Internal Only: MEDIUM - Internal users could be targeted via phishing or shared malicious workspace files.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction to open malicious workspace files. Proof-of-concept code has been publicly released.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.63.2 and later

Vendor Advisory: https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43891

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Help > Check for Updates. 3. Install update to version 1.63.2 or later. 4. Restart Visual Studio Code after installation.

🔧 Temporary Workarounds

Disable workspace trust feature

all

Disable the workspace trust feature to prevent automatic execution of workspace files

Add "security.workspace.trust.enabled": false to settings.json

Restrict file opening

all

Only open workspace files from trusted sources and verify file integrity

🧯 If You Can't Patch

  • Implement application whitelisting to prevent execution of unauthorized code
  • Use endpoint detection and response (EDR) solutions to monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check Visual Studio Code version: if version is less than 1.63.2, system is vulnerable.

Check Version:

code --version (on command line) or check Help > About in Visual Studio Code

Verify Fix Applied:

Verify Visual Studio Code version is 1.63.2 or later and workspace trust feature is properly configured.

📡 Detection & Monitoring

Log Indicators:

  • Unusual process execution from Visual Studio Code
  • Suspicious workspace file loading events
  • Unexpected network connections from code.exe

Network Indicators:

  • Outbound connections to suspicious domains from Visual Studio Code process
  • Unexpected command and control traffic

SIEM Query:

Process Creation where Image contains 'code.exe' and CommandLine contains suspicious patterns

📊 Metadata

CVE ID: CVE-2021-43891
CVSS v3 Score: 7.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Published: December 15, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON