Summary
A vulnerability was identified where certain VS Code workspace configuration files (.code-workspace) were not protected in the same way as the .vscode folder. If the agent was configured to auto-approve file writes, an attacker able to influence prompts (for example via prompt injection) could cause malicious workspace settings or tasks to be written. These tasks could then be executed automatically when the workspace is reopened, resulting in arbitrary code execution.
Impact
This issue is of high complexity because it requires both the ability to submit prompts and the user having auto-approve for file writes enabled (which is off by default). However, the severity is high, since successful exploitation allows arbitrary code execution in the victim’s environment.
Remediation
We mitigated the issue by adding *.code-workspace to the list of protected files. Any write attempts to these files now require explicit opt-in approval rather than being auto-approved.
thelicato Reporter
Summary
A vulnerability was identified where certain VS Code workspace configuration files (.code-workspace) were not protected in the same way as the .vscode folder. If the agent was configured to auto-approve file writes, an attacker able to influence prompts (for example via prompt injection) could cause malicious workspace settings or tasks to be written. These tasks could then be executed automatically when the workspace is reopened, resulting in arbitrary code execution.
Impact
This issue is of high complexity because it requires both the ability to submit prompts and the user having auto-approve for file writes enabled (which is off by default). However, the severity is high, since successful exploitation allows arbitrary code execution in the victim’s environment.
Remediation
We mitigated the issue by adding *.code-workspace to the list of protected files. Any write attempts to these files now require explicit opt-in approval rather than being auto-approved.