According to the CVSS metric, a successful exploitation could lead to a scope change (S:C). What does this mean for this vulnerability? In this case, a successful attack can break out of the Visual Studio Code Workspace Trust feature. See Workspace Trust for more information. According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? The user would have be enticed to open a malicious link rendered in a VSCode extension. Users should never open anything that they do not know or trust to be safe. What type of information could be disclosed by this vulnerability? The type of information that could be disclosed if an attacker successfully exploited this vulnerability is file content.
<a href="https://twitter.com/v_jofra">Vasco Franco</a> with <a href="https://www.trailofbits.com/">Trail of Bits</a>