CVE-2025-21264: Visual Studio Code Security Feature Bypass Vulnerability

Overview

Severity

High (CVSS 7.1)

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N/E:U/RL:O/RC:C

Category

Security Feature Bypass

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-May

Released

2025-05-13

Last Updated

2025-06-17

EPSS Score

1.16% (percentile: 78.6%)

Description

Files or directories accessible to external parties in Visual Studio Code allows an unauthorized attacker to bypass a security feature locally.

FAQ

According to the CVSS metrics, successful exploitation of this vulnerability could lead to major loss of confidentiality (C:H), and some loss of integrity (I:L), but no loss of availability (A:N). What does that mean for this vulnerability? An attacker who successfully exploited this vulnerability could view sensitive information, a token in this scenario (Confidentiality), and make some changes to disclosed information (Integrity), but they would not be able to affect Availability. What kind of security feature could be bypassed by successfully exploiting this vulnerability? An attacker who successfully exploited this vulnerability could bypass the Trusted Domain Service.

Affected Products (2)

Developer Tools

• Visual Studio Code
• Microsoft Visual Studio Code CoPilot Chat Extension

Security Updates (2)

• Release Notes
• Release Notes

Acknowledgments

Anonymous

Revision History

• 2025-05-13: Information published.
• 2025-06-17: In the Security Updates Table, added Microsoft Visual Studio CoPilot Chat Extension as it is also affected by this vulnerability. Microsoft recommends that customers install the update to be fully protected from the vulnerability.