A remote code execution vulnerability exists in VS Code 1.94.0 and earlier versions in the elevated save flow.
Patches
The fix is available starting with VS Code 1.94.1. The fix (28000df) mitigates this attack by only allowing elevated save in trusted workspaces and hardening how arguments are passed around.
Workarounds
A way to avoid the vulnerability without updating is to not use the elevated save flow.
References
- The patch for this can be found at 28000df
- An issue for this can be found at #230824
- MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-43601