VS Code Information Disclosure Vulnerability

A information disclosure vulnerability exists in VS Code 1.79.0 and earlier versions on Windows when file system operations are performed on malicious UNC paths. Examples include reading or resolving metadata of such paths. An authorised attacker must send the user a malicious file and convince the user to open it for the vulnerability to occur. Exploiting this vulnerability could allow the disclosure of NTLM hashes.

Patches

The fix is available starting with VS Code 1.79.1. It involved changes to VS Code as well as the node.js component that VS Code leverages for file system operations:

• the change in 67fa15c updates our versions of Electron and node.js
• the change in https://gist.github.com/bpasero/ad230c2c8921e5d0470a1466b130b24f patches node.js 16.17.1 normalizes paths and throws an error when using paths of the form \\?\globalroot or \\?\global

Workarounds

Do not open workspaces or files on UNC paths. Do not open workspaces or files that contain UNC paths as text.

References

• The patches for this can be found at 67fa15c and https://gist.github.com/bpasero/ad230c2c8921e5d0470a1466b130b24f
• An advisory for this can be found at GHSA-j5wm-6crw-xvmr
• MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33144
• Our FAQ entry for how to work with UNC paths on Windows