Share
## https://sploitus.com/exploit?id=61A5D036-A39D-50D6-9AB8-58E62379E337
# Vulnerability Write-up: Command Injection in VS Code Go Extension

- **CVE-ID:** CVE-2025-68120
- **CWE-ID:** CWE-184 (Incomplete Blacklist)
- **Patched Versions:** v0.52.1 and later
- **Credit:** CHOE WONWOO ([LinkedIn](https://www.linkedin.com/in/wonwoo-choe-908b11390/))

---

## 1. Summary

A Remote Code Execution (RCE) vulnerability was discovered in the Visual Studio Code Go extension. This vulnerability bypasses VS Code's 'Restricted Mode,' the security boundary for Untrusted Workspaces. The root cause is that certain settings, such as `go.buildFlags`, were not properly blocked in Restricted Mode.

An attacker can create a project with a malicious value in the `.vscode/settings.json` file. The moment a user opens this project and then opens a `.go` file, unintended code can be executed.

- **Vulnerability Type**: Remote Code Execution (RCE)
- **Affected Settings**: `go.buildFlags`, `go.testFlags`, `go.vetFlags`, etc.

## 2. Root Cause Analysis

The root cause of this vulnerability can be classified as **CWE-184 (Incomplete Blacklist)**. In other words, the vulnerability occurred because the 'blacklist' designed to block certain settings for security was incomplete, which in turn made Remote Code Execution (RCE) possible.

### Omission in `package.json` Security Settings

The VS Code extension defines which settings should be ignored in Restricted Mode via the `capabilities.untrustedWorkspaces.restrictedConfigurations` array in its `package.json` file.

Upon investigation, it was found that several settings that could affect command execution, such as `go.buildFlags`, `go.testFlags`, etc., were missing from this list. Due to this design flaw, VS Code would pass these settings to the Go extension even if the user did not trust the workspace.

### Vulnerable Code Path

Because `go.buildFlags` was not restricted, the code in `extension/src/goBuild.ts` retrieves the malicious setting value without any trust validation.

```typescript
// extension/src/goBuild.ts
export async function goBuild(
	// ...
	goConfig: vscode.WorkspaceConfiguration,
	// ...
): Promise {
	// ...
	const buildFlags: string[] = isTestFile
		? getTestFlags(goConfig)
		: Array.isArray(goConfig['buildFlags'])
		? [...goConfig['buildFlags']] // <-- Malicious payload is accepted here.
		: [];
	const buildArgs: string[] = isTestFile ? ['test', '-c'] : ['build'];
	// ...
	buildArgs.push(...buildFlags);
	// ...
	return runTool(buildArgs.concat(/*...*/)); // <-- Command is executed with malicious flags.
}
```

The value read from `goConfig['buildFlags']` is added to the `buildFlags` array without any validation and is ultimately passed as an argument to the `go build` command via the `runTool` function.

## 3. Attack Scenario

An attacker can exploit the Go compiler's `-toolexec` flag, a legitimate feature that wraps compiler invocations with an arbitrary command.

1.  **Preparation**: The attacker creates a malicious `.vscode/settings.json` file within a project.
    ```json
    {
      "go.buildFlags": ["-toolexec=calc.exe"]
    }
    ```
2.  **Delivery**: The attacker delivers this project to a developer, for instance, by hosting it in a public GitHub repository.
3.  **Trigger**:
    - The developer opens the project folder in VS Code.
    - VS Code prompts the user to trust the folder.
    - The developer selects "No, I don't trust the authors," entering Restricted Mode.
    - The developer opens any `.go` file to review the code.
    - The Go extension activates, reads the `go.buildFlags`, starts the build process, and immediately executes `calc.exe` as specified by the `-toolexec` flag.

### Vectors and Triggers

While this vulnerability can be triggered through several settings, the risk varies depending on the execution path.

-   **Primary Vector (`go.buildFlags`)**: This has a high likelihood of immediate execution. Simply opening a `.go` file can automatically initialize the Go language server (`gopls`) and perform build-related tasks, allowing code to be executed without any further user action.
-   **Secondary Vectors (`go.testFlags`, `go.vetFlags`, `go.lintFlags`, etc.)**: These paths require specific user actions, so their frequency of occurrence is relatively low, but they are still parts to consider for security. These settings are only used when a user explicitly runs tests or has features like "vet on save" or "lint on save" enabled.

## 4. Remediation

The Go extension development team has patched this vulnerability in **v0.52.1**. The Go extension is now completely disabled in Restricted Mode, which is reflected in the `package.json` file's `capabilities.untrustedWorkspaces` setting:

```json
"untrustedWorkspaces": {
  "supported": false
}
```

This approach prevents any part of the extension from running in an untrusted workspace, fundamentally blocking this and similar risks.

## 5. Impact

-   **Security Boundary Bypass**: This vulnerability bypasses VS Code's Workspace Trust security model, allowing code to be executed even when a user selects Restricted Mode.
-   **Potential Risk**: An attacker could execute code with the developer's system privileges, potentially leading to access to sensitive data or further system compromise. This is particularly relevant in the context of supply chain attacks in open-source projects or team environments.

**Recommendation**: All users should update the extension to the latest version as soon as possible to resolve this vulnerability.

## 6. Disclosure Timeline

- **2024-12-02**: Vulnerability discovered and reported to Google VRP
- **2024-12-05**: Initial assessment - Classified as "Infeasible (Attacker needs access to victim's computer)"
- **2024-12-05**: Appeal submitted - Clarified this is a remote supply chain attack via malicious repository
  - Attacker hosts malicious repo with `.vscode/settings.json`
  - Victim clones and opens in Restricted Mode
  - No direct access to victim's computer needed
  - Bypasses VS Code's Workspace Trust security boundary
- **2024-12-06**: Appeal accepted - Vulnerability severity re-evaluated
- **2024-12-18**: Patch released (v0.52.1)
- **2024-12-29**: CVE-2025-68120 assigned

## 7. References

- https://vulners.com/cve/CVE-2025-68120
- https://nvd.nist.gov/vuln/detail/CVE-2025-68120
- https://pkg.go.dev/vuln/GO-2025-4249
- https://go.dev/cl/731200
- https://groups.google.com/g/golang-dev/c/CHG4qfcicBU/m/4tanFUymDQAJ