CVE-2022-0671 – This vulnerability in vscode-xml allows attacke... (How to Fix)

Q: What is the severity of CVE-2022-0671?

CVE-2022-0671 has a CVSS score of 9.1 (CRITICAL). This vulnerability in vscode-xml allows attackers to trigger schema downloads that can lead to blind server-side request forgery (SSRF) or denial of service (DoS) via large file downloads. It affects users of Visual Studio Code with the XML extension installed. The flaw enables attackers to make unauthorized requests to internal systems or exhaust system resources.

📋 TL;DR

This vulnerability in vscode-xml allows attackers to trigger schema downloads that can lead to blind server-side request forgery (SSRF) or denial of service (DoS) via large file downloads. It affects users of Visual Studio Code with the XML extension installed. The flaw enables attackers to make unauthorized requests to internal systems or exhaust system resources.

💻 Affected Systems

Products:

vscode-xml (Visual Studio Code XML extension)
Eclipse LemMinX XML language server

Versions: All versions prior to 0.19.0

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Requires the XML extension to be installed and used in Visual Studio Code. The vulnerability is in the schema download functionality.

📦 What is this software?

Vscode Xml by Redhat

View all CVEs affecting Vscode Xml →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could use blind SSRF to probe internal networks, access internal services, or combine with other vulnerabilities for further exploitation, while DoS could crash the application or system.

🟠

Likely Case

Attackers exploiting SSRF to scan internal networks or access metadata services, or causing application instability through resource exhaustion.

🟢

If Mitigated

Limited impact with proper network segmentation, outbound firewall rules, and resource limits preventing successful exploitation.

🌐 Internet-Facing: MEDIUM

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires user interaction (opening/editing XML files with external schema references). No public exploit code has been identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.19.0

Vendor Advisory: https://github.com/redhat-developer/vscode-xml/blob/master/CHANGELOG.md#0190-february-14-2022

Restart Required: Yes

Instructions:

1. Open Visual Studio Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Search for 'XML'. 4. Click Update on the XML extension by Red Hat. 5. Restart Visual Studio Code after update completes.

🔧 Temporary Workarounds

Disable automatic schema downloads

all

Configure XML extension to not automatically download schemas from external URLs

Add to settings.json: "xml.server.downloadExternalResources.enabled": false

Network restrictions

all

Implement outbound firewall rules to restrict XML extension network access

🧯 If You Can't Patch

Disable or uninstall the XML extension in Visual Studio Code
Implement strict network segmentation and egress filtering to limit outbound connections

🔍 How to Verify

Check if Vulnerable:

Check XML extension version in VS Code Extensions view or run: code --list-extensions --show-versions | findstr xml

Check Version:

code --list-extensions --show-versions | grep redhat.vscode-xml

Verify Fix Applied:

Verify XML extension version is 0.19.0 or higher in Extensions view

📡 Detection & Monitoring

Log Indicators:

Unusual outbound HTTP requests from VS Code process
Large file downloads triggered by XML extension
XML schema validation errors with external URLs

Network Indicators:

VS Code process making unexpected HTTP requests to internal or external systems
Large downloads from XML-related domains

SIEM Query:

process_name:"Code.exe" AND (http_request:*schema* OR http_request:*xsd* OR download_size:>100MB)

📊 Metadata

CVE ID: CVE-2022-0671

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

CWE: CWE-918

Published: February 18, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/eclipse/lemminx/blob/master/CHANGELOG.md#0190-february-14-2022 Release Notes,Third Party Advisory
https://github.com/redhat-developer/vscode-xml/blob/master/CHANGELOG.md#0190-february-14-2022 Release Notes,Third Party Advisory
https://github.com/eclipse/lemminx/blob/master/CHANGELOG.md#0190-february-14-2022 Release Notes,Third Party Advisory
https://github.com/redhat-developer/vscode-xml/blob/master/CHANGELOG.md#0190-february-14-2022 Release Notes,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0671, you might also want to check these: