Login Sign Up

CVE-2023-46248

9.0 CRITICAL
Remote Code Execution

📋 TL;DR

The Cody AI VSCode extension versions 0.10.0 through 0.14.0 are vulnerable to remote code execution when users open malicious repositories containing a modified .vscode/cody.json configuration file. Attackers who control a repository can overwrite Cody commands to execute arbitrary code on the victim's machine when they run commands like /explain or /doc. This affects developers using the vulnerable Cody extension in Visual Studio Code.

💻 Affected Systems

Products:
  • Cody AI VSCode Extension
Versions: 0.10.0 through 0.14.0
Operating Systems: Windows, macOS, Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerable regardless of VS Code Workspace Trust settings. Requires user to open malicious repository and execute Cody command.

📦 What is this software?

Cody by Sourcegraph

View all CVEs affecting Cody →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the developer's machine, allowing attackers to execute arbitrary code, steal credentials, install malware, or pivot to internal networks.

🟠

Likely Case

Limited targeted attacks against developers who open malicious repositories, potentially leading to credential theft or malware installation.

🟢

If Mitigated

No impact if users upgrade to patched version or avoid untrusted repositories.

🌐 Internet-Facing: LOW - Requires user interaction with malicious repository, not directly internet-exposed.
🏢 Internal Only: MEDIUM - Developers working with untrusted code repositories internally could be targeted.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Requires attacker to control repository and victim to open it and execute Cody command. No evidence of malicious repositories in the wild.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.14.1

Vendor Advisory: https://github.com/sourcegraph/cody/security/advisories/GHSA-8wmq-fwv7-xmwq

Restart Required: Yes

Instructions:

1. Open VS Code. 2. Go to Extensions view. 3. Find Cody extension. 4. Click Update or reinstall. 5. Restart VS Code.

🔧 Temporary Workarounds

Disable Cody Extension

all

Temporarily disable the Cody extension until patched.

code --disable-extension sourcegraph.cody-ai

🧯 If You Can't Patch

  • Do not open untrusted repositories with Cody extension loaded.
  • Disable Cody extension when working with unknown repositories.

🔍 How to Verify

Check if Vulnerable:

Check Cody extension version in VS Code Extensions view. If version is between 0.10.0 and 0.14.0 inclusive, you are vulnerable.

Check Version:

code --list-extensions --show-versions | grep cody

Verify Fix Applied:

Verify Cody extension version is 0.14.1 or higher in VS Code Extensions view.

📡 Detection & Monitoring

Log Indicators:

  • Unusual Cody command executions
  • Modifications to .vscode/cody.json files

Network Indicators:

  • Downloads from untrusted repositories with Cody configuration files

SIEM Query:

process.name:"code" AND file.path:"*/.vscode/cody.json" AND file.modified:true

📊 Metadata

CVE ID: CVE-2023-46248
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-15
Published: October 31, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46248, you might also want to check these:

CVE-2024-4326 9.8

This vulnerability allows remote attackers to execute arbitrary code on systems running vulnerable v...

Same vulnerability type (CWE-15)
CVE-2026-22708 9.8

This vulnerability in Cursor AI code editor allows attackers to execute shell built-ins without allo...

Same vulnerability type (CWE-15)
CVE-2021-38453 9.1

This vulnerability allows attackers to interact with the Windows registry through exposed API functi...

Same vulnerability type (CWE-15)