VSCode remote code execution advisory

Summary An attacker could, through a link or website, take over the computer of a Visual Studio Code user and any computers they were connected to via the Visual Studio Code Remote Development feature. Dev, the web-based Visual Studio Code for Web and to a lesser extent Visual Studio Code desktop. Severity Critical - This vulnerability allows remote code execution for any computer connected via Visual Studio Code. Proof of Concept Visual Studio Code places various levels of security restriction on content opened in the editor to prevent a malicious attacker creating a view window that is able to execute a 'command:' link. Each Visual Studio Code window is its own instance of Visual Studio Code. Txt"]]. We can prepare an HTTP server that always allows its remote content to be downloaded via CORS. If Visual Studio Code loads this remote file from a URL that ends in '. For legacy security reasons, you can't run JavaScript code directly from <script> tags in HTML code that is injected after the page fully loads.