CVE-2022-41034 _ Visual Studio Code RCE

CVE-2022-41034 _ Visual Studio Code RCE

📅 [ Archival Date ]
Dec 9, 2022 11:09 AM
🏷️ [ Tags ]
✍️ [ Author ]
Thomas Neil James Shadwell (Zemnmez)

CVE-2022-41034 Visual Studio (Microsoft) v1.4.0 ≤x≤ v1.71.1


An attacker could, through a link or website, take over the computer of a Visual Studio Code user and any computers they were connected to via the Visual Studio Code Remote Development feature. This issue affected at least GitHub Codespaces,, the web-based Visual Studio Code for Web and to a lesser extent Visual Studio Code desktop.


Critical - This vulnerability allows remote code execution for any computer connected via Visual Studio Code.

Proof of Concept

Visual Studio Code places various levels of security restriction on content opened in the editor to prevent a malicious attacker creating a view window that is able to execute a ‘command:’ link.

A primary method by which the editor performs these restrictions is the internal trust model, which retains an ‘isTrusted’ annotation when views are opened. Documents that are opened with ‘isTrusted’ set to true are able to execute ‘command:’ URIs, as well as directly create unsafe HTML in Jypiter Notebook mode.

A Jypiter Notebook is a type of rich text document supported out of the box by Visual Studio Code. Used primarily in data science, it is made up of multiple segments of Python code, Markdown, HTML and other formats. The Python code is run on the viewer machine to generate diagrams. Because running potentially foreign or malicious code is dangerous, a Jypiter notebook normally starts in untrusted mode and the user is shown a dialog to confirm trust. When the document is trusted most security restrictions are bypassed.

Each Visual Studio Code window is its own instance of Visual Studio Code. To facilitate opening the same file in a new editor window, an ‘openFile’ parameter is provided for the editor internals to construct. openFile is a ‘payload’ parameter, where ‘payload’ is a series of flags given to the editor via URL query parameters when it starts. Files opened this way are opened in trusted mode because the editor assumes that it was triggered by a user gesture in the editor.

The payload parameter is a query-encoded JSON. The unencoded form for opening a local file from c:/something.txt looks like this: [["openFile","file://c:/something.txt"]] . This then becomes ?payload=%5B%5B%22openFile%22%2C%22file%3A%2F%2Fc%3A%2Fsomething.txt%22%5D%5D.

We can prepare an HTTP server that always allows its remote content to be downloaded via CORS. If Visual Studio Code loads this remote file from a URL that ends in ‘.ipynb’, it will be opened as a Jypiter Notebook in trusted mode immediately when the user follows the link.

package main

import "net/http"

const file = `{
 "cells": [
   "cell_type": "markdown",
   "metadata": {},
   "source": [
    "<img src=a onerror=\"let q = document.createElement('a');q.href='

func Do() (err error) {
	return http.ListenAndServe(":http-alt" /* 8080 */, http.HandlerFunc(func(rw http.ResponseWriter, rq *http.Request) {
		rw.Header().Set("Access-Control-Allow-Origin", "*")

func main() {
	if err := Do(); err != nil {

The contents of the ‘file’ in this code are a single Markdown cell in ipynb format. Because Markdown allows arbitrary HTML, in trusted mode, we can inject any HTML code we want into the webview.

For legacy security reasons, you can’t run JavaScript code directly from <script> tags in HTML code that is injected after the page fully loads. To mitigate this our code creates an image, an <a> tag with a target that does not exist. The tag is configured so that upon the immediate failure it runs our JavaScript code.

Because ‘command:’ is not a standard browser feature, VSCode injects this functionality by detecting when an ‘a’ element, a link is added to the document. Our JavaScript code creates this link, adds it to the page and then immediately clicks it as though the user did themselves.

This gives us the ability to run arbitrary commands via the command: URI feature but to take over the victim’s computer or the computer they’re connected to, we need to issue commands directly to the victim’s machine. We start with the command ‘’. This identifier isn’t documented, but can be found in the source code.

Command URIs may specify ‘args’ in the query component of the URI, which are passed to the command as though it was called directly from JavaScript. ‘’ can take an ICreateTerminalOptions object which itself has an IShellLaunchConfig object as its ‘config’ parameter. IShellLaunchConfig has an ‘executable’ parameter which lets you override the command the program tries to run when it starts.

Thus, our command URI, which makes the user launch a new terminal, and instructs that terminal to run ‘vim /etc/passwd’. This opens the password file of the user’s computer, demonstrating our ability to run code on their machine.

Once the server described above is run, when victim clicks a prepared link (for example,%22https://%5Bserver_location_goes_here%5D/something.ipynb%22) VSCode will load the file, detect it as a Jypiter Notebook, and immediately run a command on the user’s machine.

Further Analysis

This vulnerability affected, CodeSpaces and may affect other web-based implementations of VSCode OSS. VSCode vulnerability disclosure.

This vulnerability has been remediated by Microsoft patch


Date reported: 8/24/2022

Date fixed: 10/11/2022

Date disclosed: 11/22/2022