CVE-2026-25931
📋 TL;DR
This vulnerability in vscode-spell-checker extension allows arbitrary code execution when opening untrusted VS Code workspaces. Attackers can place malicious JavaScript configuration files that execute with user privileges. All users of vscode-spell-checker versions before 4.5.4 are affected.
💻 Affected Systems
- vscode-spell-checker (VS Code extension)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Full system compromise via arbitrary code execution with user privileges, potentially leading to data theft, ransomware deployment, or lateral movement.
Likely Case
Local privilege escalation and execution of malicious payloads when users open untrusted VS Code workspaces containing crafted configuration files.
If Mitigated
No impact if extension is patched or workspace trust is properly managed and untrusted workspaces are avoided.
🎯 Exploit Status
Exploitation requires user to open a malicious workspace, but the attack vector is straightforward once workspace is opened.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v4.5.4
Vendor Advisory: https://github.com/streetsidesoftware/vscode-spell-checker/security/advisories/GHSA-mggq-68mr-58vj
Restart Required: Yes
Instructions:
1. Open VS Code. 2. Go to Extensions view (Ctrl+Shift+X). 3. Search for 'Code Spell Checker'. 4. Click Update or install v4.5.4+. 5. Reload VS Code window.
🔧 Temporary Workarounds
Disable workspace trust bypass
allManually set cSpell.trustedWorkspace to false in workspace settings
Add to .vscode/settings.json: "cSpell.trustedWorkspace": false
Disable JavaScript config files
allPrevent loading of JavaScript/TypeScript configuration files
Add to .vscode/settings.json: "cSpell.enableFiletypes": ["plaintext", "markdown"]
🧯 If You Can't Patch
- Avoid opening untrusted VS Code workspaces
- Use VS Code's built-in workspace trust features and never bypass warnings
🔍 How to Verify
Check if Vulnerable:
Check extension version in VS Code Extensions view or run: code --list-extensions --show-versions | findstr spell-checkerCheck Version:
code --list-extensions --show-versions | grep streetsidesoftware.code-spell-checkerVerify Fix Applied:
Verify extension version is 4.5.4 or higher in Extensions view📡 Detection & Monitoring
Log Indicators:
- VS Code extension host loading .cspell.config.js files from untrusted workspaces
- Unusual Node.js process execution from VS Code context
Network Indicators:
- Unexpected outbound connections from VS Code process after opening workspace
SIEM Query:
process_name:vscode AND (process_cmdline:*cspell.config.js* OR process_cmdline:*node* AND parent_process:vscode)🔗 References
- https://drive.google.com/file/d/1mT4SOkkHSHU6NFfKwekysydAd3FUAC6K/view?usp=sharing
- https://github.com/streetsidesoftware/vscode-spell-checker/commit/f39af9a3a6f2a939a57171a24161ed735d41c575
- https://github.com/streetsidesoftware/vscode-spell-checker/releases/tag/code-spell-checker-v4.5.4
- https://github.com/streetsidesoftware/vscode-spell-checker/security/advisories/GHSA-mggq-68mr-58vj
