CVE-2025-64321 Overview
CVE-2025-64321 is an improper neutralization of input used for LLM prompting vulnerability in the Salesforce Agentforce Vibes Extension for Visual Studio Code. The flaw allows an attacker to manipulate writeable configuration files through crafted prompt input processed by the extension. The issue affects all versions of Agentforce Vibes Extension prior to 3.3.0. The vulnerability is tracked under CWE-94 (Improper Control of Generation of Code). Salesforce has published a fix and disclosed the issue through its help portal.
Critical Impact
An attacker can influence LLM prompts to cause the extension to modify writeable configuration files, resulting in integrity impact on the developer's local environment.
Affected Products
- Salesforce Agentforce Vibes Extension for Visual Studio Code, versions before 3.3.0
Discovery Timeline
- 2025-11-04 - CVE-2025-64321 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64321
Vulnerability Analysis
The Salesforce Agentforce Vibes Extension integrates a large language model (LLM) into the Visual Studio Code development workflow. The extension accepts user or contextual input and passes it into LLM prompts that drive agent actions, including operations on files within the developer's workspace. Because input is not properly neutralized before being used to construct prompts, an attacker who controls prompt content can steer the agent into writing to configuration files that the extension has permission to modify. The result is a prompt injection primitive that translates directly into unauthorized configuration file modification, mapped to CWE-94.
Root Cause
The root cause is insufficient sanitization of input that is incorporated into LLM prompts. The extension trusts prompt-derived instructions when deciding which local files to write. Without validation of the target file path or the semantic intent of the generated action, adversarial prompt content can redirect the agent to overwrite writeable configuration files rather than the developer's intended targets.
Attack Vector
Exploitation occurs over the network attack surface exposed by the LLM prompt channel. An attacker delivers crafted content — for example through repository files, documentation, issue text, or other context the agent consumes — that instructs the LLM to modify configuration files. No authentication or user interaction beyond normal use of the extension is required. Successful exploitation compromises the integrity of local configuration files but does not directly expose confidential data or cause denial of service.
No verified public proof-of-concept exploit is available. Refer to the Salesforce Help Article for vendor technical detail.
Detection Methods for CVE-2025-64321
Indicators of Compromise
- Unexpected modifications to workspace configuration files such as .vscode/settings.json, .env, package.json, or repository CI configuration written by the Agentforce Vibes Extension process.
- Agentforce Vibes agent actions in extension logs that reference file writes not initiated by the developer.
- Presence of Agentforce Vibes Extension versions earlier than 3.3.0 in developer endpoints.
Detection Strategies
- Inventory installed Visual Studio Code extensions across developer endpoints and flag salesforce.agentforce_vibes versions below 3.3.0.
- Monitor file integrity on repository configuration files and alert on writes originating from the extension host process outside expected developer activity.
- Review Agentforce Vibes prompt and action logs for instructions that reference configuration file paths, credential files, or build settings.
Monitoring Recommendations
- Enable endpoint file integrity monitoring on developer workstations for common configuration paths under source-controlled directories.
- Collect Visual Studio Code extension telemetry and forward it to a centralized log store for correlation with commit history.
- Track outbound LLM prompt content when policy allows, to identify injected instructions embedded in third-party repositories or documents.
How to Mitigate CVE-2025-64321
Immediate Actions Required
- Upgrade the Salesforce Agentforce Vibes Extension to version 3.3.0 or later on every developer workstation.
- Audit recent commits and configuration files in repositories where the extension has been used since installation.
- Restrict the extension's workspace scope to trusted projects until patching is confirmed.
Patch Information
Salesforce has addressed CVE-2025-64321 in Agentforce Vibes Extension version 3.3.0. Details are available in the Salesforce Help Article. All earlier versions remain vulnerable and must be upgraded.
Workarounds
- Disable or uninstall the Agentforce Vibes Extension on endpoints where immediate patching is not possible.
- Avoid opening untrusted repositories, issues, or documents in Visual Studio Code while the extension is active.
- Enforce code review on all configuration file changes so that any agent-induced modification is caught before merge.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

