CVE-2021-28967 Overview
CVE-2021-28967 is an arbitrary code execution vulnerability affecting the unofficial MATLAB extension for Visual Studio Code. Versions before 2.0.1 allow attackers to execute arbitrary code via a crafted workspace due to improper handling of lint configuration settings. This vulnerability poses a significant risk to developers who use the MATLAB extension in their development workflow, as opening a malicious workspace could lead to complete system compromise.
Critical Impact
Attackers can execute arbitrary code on developer workstations by crafting malicious workspace configurations that exploit lint configuration settings in the MATLAB VS Code extension.
Affected Products
- Gimly MATLAB extension for Visual Studio Code versions prior to 2.0.1
- Visual Studio Code installations with the unofficial MATLAB extension (Gimly81.matlab)
- Development environments using workspace-level lint configurations
Discovery Timeline
- 2021-03-24 - CVE-2021-28967 published to NVD
- 2025-07-08 - Last updated in NVD database
Technical Details for CVE-2021-28967
Vulnerability Analysis
This vulnerability stems from the MATLAB extension's handling of workspace configuration settings, specifically related to linting functionality. The extension trusts workspace-level configuration values without proper sanitization, allowing an attacker to inject malicious commands through crafted lint configuration settings. When a victim opens a workspace containing the malicious configuration, the extension processes these settings and executes the attacker-controlled code with the privileges of the VS Code process.
The vulnerability is particularly dangerous in collaborative development environments where workspace files may be shared through version control systems. An attacker could commit a malicious .vscode/settings.json file to a repository, and any developer cloning and opening the project would be compromised.
Root Cause
The root cause of CVE-2021-28967 is insufficient input validation on lint configuration settings within the MATLAB extension. The extension processes user-controllable workspace configuration values and passes them to system-level operations without proper sanitization. This allows attackers to inject arbitrary commands that are executed when the extension initializes or performs linting operations.
Attack Vector
The attack vector for this vulnerability is network-based and requires no privileges or user interaction beyond opening a malicious workspace. An attacker can deliver the payload through several methods:
- Repository Poisoning: Commit malicious workspace configuration files to shared repositories
- Social Engineering: Share malicious project directories with targeted developers
- Supply Chain Attacks: Include malicious configurations in project templates or boilerplates
The vulnerability is exploited through crafted lint configuration values in VS Code workspace settings. When the MATLAB extension processes these configurations, it executes the embedded commands. The security fix implemented in version 2.0.1 adds proper validation and sanitization of configuration values before they are processed.
For technical details on the exploitation mechanism, refer to the Ryotak Vulnerability Advisory and the security patch commit.
Detection Methods for CVE-2021-28967
Indicators of Compromise
- Unusual .vscode/settings.json files in workspace directories with suspicious lint configuration values
- Unexpected process execution originating from the VS Code process tree
- Modified or newly created workspace configuration files in recently cloned repositories
- Network connections or file system access initiated by VS Code that deviates from normal behavior
Detection Strategies
- Monitor for VS Code extensions executing shell commands or spawning child processes
- Implement file integrity monitoring for .vscode directories in project workspaces
- Review workspace configuration files for suspicious lint-related settings before opening projects
- Enable VS Code's workspace trust feature to prevent automatic execution of untrusted workspace configurations
Monitoring Recommendations
- Configure endpoint detection to alert on unusual process chains originating from VS Code
- Implement repository scanning to detect potentially malicious workspace configuration files
- Enable audit logging for file access and process execution in development environments
- Monitor for changes to VS Code extension settings and workspace configurations
How to Mitigate CVE-2021-28967
Immediate Actions Required
- Update the unofficial MATLAB extension to version 2.0.1 or later immediately
- Audit all workspace configuration files in existing projects for suspicious lint settings
- Enable VS Code's Workspace Trust feature to restrict untrusted workspace configurations
- Review recently opened workspaces, especially those from external or shared sources
Patch Information
The vulnerability has been addressed in version 2.0.1 of the unofficial MATLAB extension for Visual Studio Code. The fix implements proper validation and sanitization of lint configuration settings to prevent command injection.
Patch Reference: GitHub Security Commit
Update Instructions: Open VS Code Extensions panel, search for "MATLAB" by Gimly81, and click Update. Alternatively, update via the VS Marketplace.
Workarounds
- Temporarily disable the MATLAB extension until the update can be applied
- Enable VS Code Workspace Trust and mark untrusted workspaces as restricted
- Manually review all .vscode/settings.json files before opening workspaces from external sources
- Consider using a containerized development environment to isolate potential exploitation attempts
# Verify MATLAB extension version in VS Code
code --list-extensions --show-versions | grep -i matlab
# Enable Workspace Trust via VS Code settings
# Add to user settings.json:
# "security.workspace.trust.enabled": true
# "security.workspace.trust.untrustedFiles": "prompt"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
