CVE-2025-66389 Overview
CVE-2025-66389 affects GitHub Copilot version 1.372.0 in Visual Studio Code. The vulnerability allows the fetch_webpage tool to access filesystem resources outside the active workspace folder without user approval. An attacker supplies a file:// URI through the tool's URI parameter, which the handler resolves and reads. When combined with indirect prompt injection in content the assistant processes, the flaw enables exfiltration of arbitrary local files. The issue is categorized under [CWE-552] (Files or Directories Accessible to External Parties).
Critical Impact
Attackers can exfiltrate sensitive files outside the workspace by combining indirect prompt injection with a crafted file:// URI passed to fetch_webpage.
Affected Products
- GitHub Copilot Chat extension version 1.372.0
- Visual Studio Code fetchPageTool component
- Environments using Copilot Chat with untrusted document or web content
Discovery Timeline
- 2026-06-22 - CVE-2025-66389 published to NVD
- 2026-06-22 - Last updated in NVD database
Technical Details for CVE-2025-66389
Vulnerability Analysis
The fetch_webpage tool in GitHub Copilot Chat retrieves content for the language model to reason over. The tool accepts a URI parameter intended for HTTP and HTTPS resources. The implementation in fetchPageTool.ts does not restrict the URI scheme, so file:// URIs are processed by the same handler. The handler reads the referenced path and returns its contents into the model context. No workspace-boundary check or user-consent prompt is enforced before the read occurs. The model then incorporates that content into its response, including responses that may be sent to attacker-controlled destinations.
Root Cause
The root cause is missing scheme and path validation on the URI argument passed to fetch_webpage. The tool treats any URI handler available to the VS Code runtime as a legitimate fetch target. Workspace trust boundaries that apply to other Copilot operations are not applied to this code path. As a result, local file reads bypass the consent flow normally required for filesystem access.
Attack Vector
The vulnerability is exploited through indirect prompt injection. An attacker plants instructions inside a document, repository file, web page, or issue that the user asks Copilot to summarize. Those instructions direct the assistant to call fetch_webpage with a file:// URI pointing at sensitive local paths such as SSH keys, environment files, or credential stores. The tool returns the file contents into the conversation. The injected instructions then request a second fetch_webpage call against an attacker-controlled HTTPS endpoint that includes the stolen content in the URL or query string. See the Blind Cyber write-up and the VS Code fetchPageTool source for technical details.
Detection Methods for CVE-2025-66389
Indicators of Compromise
- Copilot Chat tool invocations of fetch_webpage with URIs beginning with file://, vscode-file://, or other non-HTTP schemes.
- Outbound requests from the VS Code process to unfamiliar hosts shortly after Copilot processed external content.
- Copilot tool logs referencing paths outside the active workspace, such as ~/.ssh/, ~/.aws/, or .env files.
Detection Strategies
- Review Copilot Chat session telemetry for tool calls whose URI arguments resolve to local filesystem paths.
- Correlate Copilot tool activity with process network connections from Code.exe or code to non-allowlisted domains.
- Inspect prompts and pasted content for hidden instructions such as zero-width characters, hidden HTML, or comment blocks directing tool use.
Monitoring Recommendations
- Forward VS Code and Copilot extension logs to a centralized log store and alert on file:// arguments to web-fetch tools.
- Monitor endpoint DNS and HTTP egress for developer workstations interacting with external repositories.
- Track installed Copilot Chat extension versions across the fleet and flag any host still running 1.372.0.
How to Mitigate CVE-2025-66389
Immediate Actions Required
- Update the GitHub Copilot Chat extension in Visual Studio Code to a version later than 1.372.0.
- Audit developer workstations for the vulnerable build and force the update through the extension management policy.
- Rotate any credentials, SSH keys, or tokens stored on hosts that processed untrusted content with the vulnerable version.
Patch Information
Users should upgrade to the latest GitHub Copilot Chat release that restricts fetch_webpage to HTTP and HTTPS schemes. Track fixes in the microsoft/vscode-copilot-chat repository and confirm the installed version through the Extensions view in VS Code.
Workarounds
- Disable the Copilot Chat extension on hosts that cannot be updated immediately.
- Restrict Copilot Chat to trusted workspaces and avoid summarizing untrusted repositories, web pages, or pull request content.
- Apply egress filtering to block developer endpoints from reaching arbitrary external hosts that could receive exfiltrated data.
# Configuration example: verify and update the Copilot Chat extension
code --list-extensions --show-versions | grep -i copilot-chat
code --install-extension GitHub.copilot-chat --force
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

