Microsoft GitHub Copilot and Visual Studio Code Command Injection Vulnerability Leading to Remote Code Execution

A command injection vulnerability has been identified in GitHub Copilot and Visual Studio Code, allowing unauthorized attackers to execute code on the local machine. This issue arises from improper handling of special elements in commands, which can be exploited by modifying the project's settings to disable user confirmations. Once exploited, the attacker can execute terminal commands, potentially leading to a full system compromise.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the affected machine, with the executed code running in the context of the user.

Reproduction

To reproduce this vulnerability, first inject a prompt into a source code file or other content that GitHub Copilot can access. This prompt should include a command injection payload designed to exploit the application's handling of commands. Once the prompt is injected, GitHub Copilot can be manipulated to execute the injected commands, bypassing normal user interaction requirements.

Remediation

Users can update to the latest version of Microsoft Visual Studio 2022 to address this vulnerability. Instructions for downloading the update are available on the Visual Studio website.