VS Code - Remote Code Execution Vulnerability
A remote code execution vulnerability exists in VS Code 1.119.0 and earlier versions with the webview used by Jupyter notebooks. This could bypass rendered markdown sanitization in untrusted workspaces to run untrusted content inside the webview
The root cause is in an incorrect buffer being used for the internal protocol webviews use to load the VS Code controlled root webview content
Patches
The fix is available starting with VS Code 1.119.1. The fix (1dbe285) mitigates this attack by making sure the correctly sized buffer is passed buffer to the webview protocol provider
Workarounds
Do not open notebook files from untrusted sources
References
VS Code - Remote Code Execution Vulnerability
A remote code execution vulnerability exists in VS Code 1.119.0 and earlier versions with the webview used by Jupyter notebooks. This could bypass rendered markdown sanitization in untrusted workspaces to run untrusted content inside the webview
The root cause is in an incorrect buffer being used for the internal protocol webviews use to load the VS Code controlled root webview content
Patches
The fix is available starting with VS Code 1.119.1. The fix (1dbe285) mitigates this attack by making sure the correctly sized buffer is passed buffer to the webview protocol provider
Workarounds
Do not open notebook files from untrusted sources
References