Protect against maliciously crafted package.json / .npmrc

[chrmarti]

A remote code execution vulnerability exists in VS Code 1.82.0 and earlier versions that working in a maliciously crafted package.json can result in executing commands locally. This scenario would require the attacker to get the VS Code user to open the malicious project and have get the user to open and work with malformed entries in the dependencies sections of the package.json file.

VS Code uses the locally installed npm command to fetch information on package dependencies. A package dependency can be named in such a way that the npm tool runs a script instead.

Patches

The fix is available starting with VS Code 1.82.1. The fix (e7b3397) mitigates this attack by turning off the usage of npm in an untrusted workspace and by adding extra input validation when calling the npm command.

Workarounds

Do not work with the dependencies sections in the package.json file that originate from an untrusted source.

References

• The patch for this can be found at e7b3397
• An advisory for this can be found at GHSA-r6q2-478f-5gmr
• MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36742

[AnrDaemon]

Can you please backport this fix to 1.70?

[tizu69]

Can you please backport this fix to 1.70?

Can you please update your software to 1.82?

[AnrDaemon]

Can you please update your software to 1.82?

No.