You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A remote code execution vulnerability exists in VS Code 1.64.0 and earlier versions when debugging VS Code extensions remotely, for example using the Visual Studio Code Remote - SSH extension to connect to a machine and then develop a VS Code extension on that machine. When debugging VS Code extensions remotely, the remote extension host process would be launched in a way in which it would listen for debugger connections on all network interfaces.
Patches
The fix is available starting with VS Code 1.64.1. The fix (91f7694) mitigates this attack by launching the remote extension host in a way in which it listens for debugger connections only on the loopback interface when debugging VS Code extensions remotely.
Workarounds
There are no known workarounds for debugging VS Code extensions remotely. An alternative would be to develop and debug VS Code extensions locally.
alexdima
added
security
debug
Debug viewlet, configurations, breakpoints, adapter issues
and removed
bug
Issue identified by VS Code Team member as probable bug
verified
Verification succeeded
important
Issue identified as high-priority
labels
May 25, 2022
Sign up for freeto subscribe to this conversation on GitHub.
Already have an account?
Sign in.
VS Code - Remote Code Execution Vulnerability
A remote code execution vulnerability exists in VS Code 1.64.0 and earlier versions when debugging VS Code extensions remotely, for example using the Visual Studio Code Remote - SSH extension to connect to a machine and then develop a VS Code extension on that machine. When debugging VS Code extensions remotely, the remote extension host process would be launched in a way in which it would listen for debugger connections on all network interfaces.
Patches
The fix is available starting with VS Code 1.64.1. The fix (91f7694) mitigates this attack by launching the remote extension host in a way in which it listens for debugger connections only on the loopback interface when debugging VS Code extensions remotely.
Workarounds
There are no known workarounds for debugging VS Code extensions remotely. An alternative would be to develop and debug VS Code extensions locally.
References
The text was updated successfully, but these errors were encountered: