VS Code - Remote Code Execution Vulnerability
A remote code execution vulnerability exists in VS Code 1.119.0 and earlier versions with the internal protocol webviews use to load the VS Code controlled root webview content. This could result in untrusted scripts being run inside the webview
Patches
The fix is available starting with VS Code 1.119.1. The fix (1dbe285) mitigates this attack by making sure the correctly sized buffer is passed to the webview protocol provider
Workarounds
Do not open webviews that can load untrusted content
References
VS Code - Remote Code Execution Vulnerability
A remote code execution vulnerability exists in VS Code 1.119.0 and earlier versions with the internal protocol webviews use to load the VS Code controlled root webview content. This could result in untrusted scripts being run inside the webview
Patches
The fix is available starting with VS Code 1.119.1. The fix (1dbe285) mitigates this attack by making sure the correctly sized buffer is passed to the webview protocol provider
Workarounds
Do not open webviews that can load untrusted content
References