Security Advisory 2022-084

Release Date:

Critical Vulnerability in Visual Studio Code



  • 02/12/2022 --- v1.0 -- Initial publication


On November 22, Microsoft published a security advisory about a Remote Code Execution vulnerability in Visual Studio Code [1]. The severity is rated critical as a remote code execution vulnerability exists in VS Code 1.71 and earlier versions for malicious notebooks. These notebooks could use command URIs to execute arbitrary commands, including potentially dangerous commands.

Technical Details

The vulnerability was reported by Google [2] and is tracked as CVE-2022-41034. An attacker could, through a link or website, take over the computer of a Visual Studio Code user and any computers they were connected to via the Visual Studio Code Remote Development feature. This issue affected at least GitHub Codespaces,, the web-based Visual Studio Code for Web and to a lesser extent Visual Studio Code desktop.

Microsoft released the patch 1.72 on October 11 [3], fixing this vulnerability.

Affected Products

  • Visual Studio Code 1.71 and earlier versions.


CERT-EU recommends to apply the patches for Visual Studio Code.





We got cookies

We only use cookies that are necessary for the technical functioning of our website. Find out more on here.