Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64320

CVE-2025-64320: Salesforce Agentforce Vibes RCE Flaw

CVE-2025-64320 is a remote code execution vulnerability in Salesforce Agentforce Vibes Extension caused by improper LLM prompt neutralization. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-64320 Overview

CVE-2025-64320 is a code injection vulnerability in the Salesforce Agentforce Vibes Extension for Visual Studio Code. The flaw is classified as Improper Neutralization of Input Used for LLM Prompting [CWE-94]. Attackers can craft input that manipulates prompts processed by the extension's large language model (LLM) integration, leading to code injection in the developer environment.

The vulnerability affects all versions of Agentforce Vibes Extension before 3.2.0. Because the attack vector is network-based and requires no privileges or user interaction, remote attackers can influence LLM prompts through crafted content consumed by the extension.

Critical Impact

Attackers can inject code through manipulated LLM prompts, compromising the confidentiality and integrity of developer environments running the vulnerable extension.

Affected Products

  • Salesforce Agentforce Vibes Extension for Visual Studio Code, versions before 3.2.0
  • Developer workstations with the vulnerable extension installed
  • Salesforce development pipelines that rely on Agentforce Vibes for AI-assisted coding

Discovery Timeline

  • 2025-11-04 - CVE-2025-64320 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64320

Vulnerability Analysis

The Agentforce Vibes Extension integrates LLM-driven code assistance into Visual Studio Code. The extension fails to properly neutralize untrusted input before incorporating it into prompts sent to the LLM. Attackers can embed adversarial instructions in content the extension processes, such as source files, comments, documentation, or repository data.

When the extension constructs prompts, the injected instructions override or extend the intended behavior. The LLM then generates output that the extension acts upon, including code that executes in the developer's workspace. This produces a prompt injection chain that reaches code execution [CWE-94].

The issue impacts confidentiality and integrity but not availability. An attacker can influence generated code, exfiltrate sensitive context available to the LLM, or coerce the assistant into producing malicious snippets that developers unknowingly execute.

Root Cause

The root cause is missing input sanitization on data that flows into LLM prompt construction. The extension treats untrusted content as trusted prompt context, allowing embedded directives to alter LLM behavior. This is a classic prompt injection weakness mapped to [CWE-94] Code Injection.

Attack Vector

An attacker seeds crafted content into any source the extension reads, such as a public repository, a shared file, an issue tracker snippet, or dependency documentation. When a developer invokes Agentforce Vibes to reason over that content, the malicious instructions execute inside the LLM prompt path and drive code injection outcomes in the local environment. See the Salesforce Help Article for vendor guidance.

Detection Methods for CVE-2025-64320

Indicators of Compromise

  • Unexpected code changes or new files created in Visual Studio Code workspaces shortly after Agentforce Vibes interactions.
  • Outbound network connections from code.exe or extension host processes to unfamiliar endpoints during LLM sessions.
  • Suspicious commands or scripts appearing in LLM-generated code suggestions that reference secrets, credentials, or system commands.

Detection Strategies

  • Inventory installed Visual Studio Code extensions across developer endpoints and flag Agentforce Vibes versions below 3.2.0.
  • Monitor extension host child processes for shell invocations, package installers, or credential access patterns following AI-assisted coding sessions.
  • Review version control commit history for unexplained modifications introduced during periods of Agentforce Vibes usage.

Monitoring Recommendations

  • Enable telemetry on developer endpoints to capture process lineage between Visual Studio Code, the extension host, and any spawned interpreters.
  • Alert on new outbound connections from IDE processes to non-corporate domains.
  • Log LLM prompt and response payloads where policy allows to support forensic review of prompt injection events.

How to Mitigate CVE-2025-64320

Immediate Actions Required

  • Upgrade Salesforce Agentforce Vibes Extension to version 3.2.0 or later on all developer workstations.
  • Audit repositories and shared content sources that Agentforce Vibes has processed for embedded adversarial instructions.
  • Restrict extension usage on projects that ingest untrusted third-party content until patching is confirmed.

Patch Information

Salesforce addressed the issue in Agentforce Vibes Extension 3.2.0. Update through the Visual Studio Code Marketplace and confirm the reported version in the Extensions panel. Refer to the Salesforce Help Article for vendor-provided remediation details.

Workarounds

  • Disable or uninstall the Agentforce Vibes Extension until the update to 3.2.0 is applied.
  • Limit the extension's exposure to untrusted files, repositories, and external documentation during triage.
  • Require code review for any AI-generated code before commit or execution in shared environments.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.