CVE-2025-68120 – The Visual Studio Code Go extension contains a ... (How to Fix)

Q: What is the severity of CVE-2025-68120?

CVE-2025-68120 has a CVSS score of 5.4 (MEDIUM). The Visual Studio Code Go extension contains a vulnerability that could allow untrusted code execution when opening projects in Restricted Mode. This affects developers using VS Code with the Go extension installed. The vulnerability has been addressed by disabling the extension in Restricted Mode by default.

📋 TL;DR

The Visual Studio Code Go extension contains a vulnerability that could allow untrusted code execution when opening projects in Restricted Mode. This affects developers using VS Code with the Go extension installed. The vulnerability has been addressed by disabling the extension in Restricted Mode by default.

💻 Affected Systems

Products:

Visual Studio Code Go extension

Versions: All versions before the fix

Operating Systems: Windows, Linux, macOS

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users with the Go extension installed who open projects in Restricted Mode.

📦 What is this software?

Go by Go

View all CVEs affecting Go →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution when opening malicious Go projects in VS Code Restricted Mode, potentially compromising the developer's system.

🟠

Likely Case

Limited impact since Restricted Mode is designed to prevent untrusted code execution, but the vulnerability bypasses some of these protections.

🟢

If Mitigated

Minimal impact if the Go extension is disabled in Restricted Mode or if users avoid opening untrusted projects.

🌐 Internet-Facing: LOW

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user interaction (opening a malicious project in Restricted Mode).

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Latest version of VS Code Go extension

Vendor Advisory: https://pkg.go.dev/vuln/GO-2025-4249

Restart Required: Yes

Instructions:

1. Update Visual Studio Code to latest version. 2. Update Go extension to latest version. 3. Restart VS Code.

🔧 Temporary Workarounds

Disable Go extension in Restricted Mode

all

Manually disable the Go extension when working in Restricted Mode

In VS Code: Ctrl+Shift+P > 'Developer: Show Running Extensions' > Disable Go extension

Avoid Restricted Mode for Go projects

all

Only open trusted Go projects or disable Restricted Mode for Go development

🧯 If You Can't Patch

Disable the Go extension entirely in VS Code settings
Use alternative Go development environments for untrusted projects

🔍 How to Verify

Check if Vulnerable:

Check if Go extension is enabled in VS Code Restricted Mode settings

Check Version:

In VS Code: Ctrl+Shift+P > 'Extensions: Show Installed Extensions' > Find Go extension

Verify Fix Applied:

Verify Go extension is disabled in Restricted Mode or check extension version is latest

📡 Detection & Monitoring

Log Indicators:

VS Code extension activation logs showing Go extension in Restricted Mode
Unexpected process execution from Go tools

Network Indicators:

Unusual outbound connections from VS Code process during Go project analysis

SIEM Query:

process.name:vscode AND process.cmdline:*go* AND event.action:execute

📊 Metadata

CVE ID: CVE-2025-68120

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

EPSS Score: 0.03% exploit probability (8th percentile)

Published: December 30, 2025

Last Updated: January 6, 2026

🔗 References

https://groups.google.com/g/golang-dev/c/CHG4qfcicBU/m/4tanFUymDQAJ Mailing List
https://nvd.nist.gov/vuln/detail/CVE-2025-68120 Third Party Advisory
https://pkg.go.dev/vuln/GO-2025-4249 Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON