A remote code execution vulnerability exists in VS Code 1.64.0 and earlier versions when debugging VS Code extensions remotely, for example using the Visual Studio Code Remote - SSH extension to connect to a machine and then develop a VS Code extension on that machine. When debugging VS Code extensions remotely, the remote extension host process would be launched in a way in which it would listen for debugger connections on all network interfaces.
Patches
The fix is available starting with VS Code 1.64.1. The fix (91f7694) mitigates this attack by launching the remote extension host in a way in which it listens for debugger connections only on the loopback interface when debugging VS Code extensions remotely.
Workarounds
There are no known workarounds for debugging VS Code extensions remotely. An alternative would be to develop and debug VS Code extensions locally.
References
A remote code execution vulnerability exists in VS Code 1.64.0 and earlier versions when debugging VS Code extensions remotely, for example using the Visual Studio Code Remote - SSH extension to connect to a machine and then develop a VS Code extension on that machine. When debugging VS Code extensions remotely, the remote extension host process would be launched in a way in which it would listen for debugger connections on all network interfaces.
Patches
The fix is available starting with VS Code 1.64.1. The fix (91f7694) mitigates this attack by launching the remote extension host in a way in which it listens for debugger connections only on the loopback interface when debugging VS Code extensions remotely.
Workarounds
There are no known workarounds for debugging VS Code extensions remotely. An alternative would be to develop and debug VS Code extensions locally.
References