An information disclosure vulnerability exists in VS Code 1.71 and earlier versions. If an attacker is able to run arbitrary scripts inside of a webview (either created by an extension or by core VS Code), the attacker could bypass the local resource roots check to read arbitrary files on the
Patches
The fix is available starting with VS Code 1.71.1. The fix mitigates this attack by performing input validation on the URL pointing to the repository to be cloned.
Workarounds
Only use webviews from extensions that follow proper security measures to block script injection
Do not disable VS Code's default security measures in the built-in markdown preview
References
An information disclosure vulnerability exists in VS Code 1.71 and earlier versions. If an attacker is able to run arbitrary scripts inside of a webview (either created by an extension or by core VS Code), the attacker could bypass the local resource roots check to read arbitrary files on the
Patches
The fix is available starting with VS Code 1.71.1. The fix mitigates this attack by performing input validation on the URL pointing to the repository to be cloned.
Workarounds
Only use webviews from extensions that follow proper security measures to block script injection
Do not disable VS Code's default security measures in the built-in markdown preview
References