Claude Code WebSocket Vulnerability in VSCode and JetBrains IDEs
Vulnerability
A vulnerability exists in Claude Code extensions for VSCode and JetBrains IDEs, allowing unauthorized WebSocket connections from attackers via controlled webpages. In VSCode, including forks like Cursor, Windsurf, and VSCodium, versions 0.2.116 prior to 1.0.24 are affected. For JetBrains IDEs such as IntelliJ, PyCharm, and Android Studio, vulnerable versions are Claude Code [Beta] 0.1.1 through 0.1.8. Exploitation in VSCode could lead to unauthorized file access, visibility of open files, interception of selection and diagnostic events, or limited code execution in Jupyter Notebooks. In JetBrains IDEs, an attacker could access similar selection and file information, along with syntax error details.
Impact
Successful exploitation allows attackers to establish unauthorized WebSocket connections, potentially leading to unauthorized access to files, interception of IDE events, and in VSCode, limited code execution under certain conditions.
Remediation
Users should update the Claude Code extension for VSCode to version 1.0.24 or later, or for JetBrains IDEs, update the Claude Code [Beta] plugin to version 0.1.9 [Beta] or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.