FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

vscode -- security feature bypass vulnerability

Affected packages
vscode < 1.100.1

Details

VuXML ID 6f10b49d-07b1-4be4-8abf-edf880b16ad2
Discovery 2025-05-13
Entry 2025-05-14

VSCode developers report:

A security feature bypass vulnerability exists in VS Code 1.100.0 and earlier versions where a maliciously crafted URL could be considered trusted when it should not have due to how VS Code handled glob patterns in the trusted domains feature. When paired with the #fetch tool in Chat, this scenario would require the attacker to convince an LLM (via prompt injection) to fetch the maliciously crafted URL but when fetched, the user would have no moment to confirm the flighting of the request.

[source]

References

CVE Name CVE-2025-21264
URL https://github.com/microsoft/vscode/security/advisories/GHSA-742r-ggwg-vqxm
URL https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-21264

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.