Microsoft VSCode Python Extension - Code Execution

ID: 102753
CVE: None
Download vulnerable application: None
# VSCode Python Extension Code Execution

This repository contains the Proof-of-Concept of a code execution vulnerability discovered in the [Visual Studio Code]( Python extension.

>TL;DR: VScode may use code from a virtualenv found in the project folders without asking the user, for things such as formatting, autocompletion, etc. This insecure design leads to arbitrary code execution by simply cloning and opening a malicious Python repository.

You can read more about this vulnerability on our blog: [](

## HowTo

- Clone the 'malicious' repository with `git clone`
- Add the cloned repo to a VSCode workspace on macOS. Note that the vulnerability affects all platforms, but the PoC is executing **
- Open `` in VScode

Download ~
1-4-2 (www02)