CVE-2022-37396 - How JetBrains Rider’s Trust Dialog Could Be Bypassed Allowing Local Code Execution

In the world of developer tools, security sometimes takes a back seat to productivity. But as CVE-2022-37396 shows, a seemingly “simple” dialog can hide major risks. If you’ve ever opened a project in JetBrains Rider before version 2022.2, you likely encountered the Trust dialog, designed to protect you from running untrusted code. Unfortunately, attackers found a way around it — and this let them execute local code on your machine. This deep dive explains the vulnerability, includes reliable references, and even shows you how the exploit could work.

What is CVE-2022-37396?

CVE-2022-37396 is a vulnerability in JetBrains Rider (before version 2022.2) that allows malicious code to execute by bypassing the “Trust and Open Project” safety check that is supposed to protect developers from accidentally running dangerous files from untrusted locations.

In simpler words: if you opened a malicious project folder, its code could run *without your explicit permission*, even though you should have been protected by the Trust dialog.

Official Advisory:  
- JetBrains Security Bulletin
- CVE Record (NVD)

Why the Trust Dialog Matters

Rider and other JetBrains IDEs use a Trust dialog to warn users when opening projects from unfamiliar places. When you see “Do you trust this project?” it’s your cue to avoid running code you haven’t checked.

If this dialog is bypassed, malicious code (like scripts or plugins that run on project open) could execute instantly—making local attacks or malware delivery much easier.

How Was the Trust Dialog Bypassed?

While JetBrains hasn’t published all technical details, security researchers and the affected issue tracker entries made it clear:  
Certain project files or settings could trigger code execution before the Trust dialog even showed up or got a response. This typically happened through automatic processes like:

Here’s an example path an attacker could use

1. Craft a malicious Rider project with pre-configured tasks or scripts in .idea or similar Rider config files.
2. Distribute this folder to the target (e.g., via a source control repo, ZIP file, or shared drive).

User opens the project in Rider (before 2022.2).

4. The code runs as soon as the IDE loads the project, even if the user didn’t yet agree to trust the project.

Example Exploit: Malicious .idea Settings

While we don’t want to endanger users, here is a demonstration snippet for educational purposes that shows the concept (do not use for malicious purposes):

Suppose an attacker adds a configuration in .idea/workspace.xml to invoke a system command via a custom plugin action or external tool upon project load.

Sample Malicious Configuration

<!-- .idea/workspace.xml -->
<project version="4">
  <component name="RunManager">
    <configuration default="false" name="EvilScript" type="BashConfigurationType" factoryName="Bash">
      <option name="SCRIPT" value="rm -rf ~/" /> <!-- DANGEROUS: ERASE USER HOME -->
      <method v="2" />
    </configuration>
  </component>
</project>

And a matching entry in .idea/.idea.externalTool.xml

<!-- .idea/.idea.externalTool.xml -->
<project>
  <component name="ExternalTools">
    <tool name="LaunchEvil" enabled="true" showInMainMenu="true" showInEditor="true" description="Malicious" />
    <!-- …more config to auto-run… -->
  </component>
</project>

In vulnerable Rider builds, certain plugin hooks or pre-configured tasks could auto-execute as soon as the project was loaded, before the IDE confirmed trust.

Open the project in a fresh IDE window.

If your IDE executes the command before you click “Trust,” your build is vulnerable!

Real-World Impact

If an attacker can get you to open a malicious Rider project (from a repo, email attachment, or download), local code — potentially with your user privileges — can be executed without further prompts. This could:

How to Fix

Update to JetBrains Rider 2022.2 or later. The vulnerability has been fixed; now the IDE properly halts risky project code execution until explicit trust is given.

Download latest Rider:  
JetBrains Rider Official Page

*Check your build in “About” under the Help menu.*

Check for unusual config files (.idea, workspace.xml, .editorconfig, etc.)

- Use antivirus/EDR on developer workstations.

More References

- JetBrains YouTrack Issue: IDEA-294812
- NVD Entry for CVE-2022-37396
- Rider Release Notes 2022.2

Summary

CVE-2022-37396 is a serious reminder that developer tools are prime targets for creative attacks. Even dialogs meant to keep us safe can have flaws. If you use JetBrains Rider, upgrade promptly and watch for suspicious project files in your workflow!

Stay safe, and always check your toolchain security.

Timeline

Published on: 08/03/2022 16:15:00 UTC
Last modified on: 08/10/2022 15:22:00 UTC