A remote code execution vulnerability exists in VS Code 1.74.2 and earlier versions where opening a maliciously crafted notebook allows script execution inside of the notebook's iframe. This works in untrusted workspaces and only requires that the user open the notebook. The executed script is run inside of an isolated iframe, however it is possible an attacker could combine this with additional exploits to break out of the iframe
Patches
The fix is available starting with VS Code 1.74.3. The fix (5b8361b) mitigates this attack by more safely constructing html
Workarounds
Do not open notebooks from untrusted sources
References
5b8361b
A remote code execution vulnerability exists in VS Code 1.74.2 and earlier versions where opening a maliciously crafted notebook allows script execution inside of the notebook's iframe. This works in untrusted workspaces and only requires that the user open the notebook. The executed script is run inside of an isolated iframe, however it is possible an attacker could combine this with additional exploits to break out of the iframe
Patches
The fix is available starting with VS Code 1.74.3. The fix (5b8361b) mitigates this attack by more safely constructing html
Workarounds
Do not open notebooks from untrusted sources
References
5b8361b