Summary
If the victim had "Write" auto-approved an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the php.validate.executablePath setting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it.
Impact
This vulnerability is high complexity since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack) and for the user to have enabled auto-approved file writes (off by default), but also of high severity since it would give the attacker the ability to execute arbitrary code.
Remediation
We added the .vscode/ folder to the list of protected files that require an additional layer of opt-in configuration for auto-approving writes.
MaccariTA Reporter
Summary
If the victim had "Write" auto-approved an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. There were multiple ways to achieve that. One example is with the
php.validate.executablePathsetting which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it.Impact
This vulnerability is high complexity since it requires the attacker to already be able to submit prompts to the agent (for instance through a prompt injection attack) and for the user to have enabled auto-approved file writes (off by default), but also of high severity since it would give the attacker the ability to execute arbitrary code.
Remediation
We added the
.vscode/folder to the list of protected files that require an additional layer of opt-in configuration for auto-approving writes.