CVE-2025-64660: GitHub Copilot and Visual Studio Code Remote Code Execution Vulnerability

Overview

Severity

High (CVSS 8)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C

Category

Remote Code Execution

Exploit Status

Not Exploited

Exploitation Likelihood

Less Likely

Patch Tuesday

2025-Nov

Released

2025-11-20

Last Updated

2025-11-25

EPSS Score

0.13% (percentile: 33.1%)

Description

Improper access control in GitHub Copilot and Visual Studio Code allows an authorized attacker to execute code over a network.

FAQ

According to the CVSS metric, privileges are required (PR:L) and user interaction is required (UI:R). How could an attacker exploit this remote code execution vulnerability? An authenticated attacker could place a malicious file in the targeted repo. The user would then have to trust the file on Visual Studio Code and ask for assistance from GitHub Copilot.

Affected Products (1)

Developer Tools

• Visual Studio Code

Security Updates (1)

• Release Notes

Acknowledgments

<a href="https://x.com/ari_maccarita">Ari Marzuk</a> with https://maccarita.com/, <a href="https://www.linkedin.com/in/tarek-nakkouch/">Tarek Nakkouch</a>, <a href="https://linkedin.com/in/ameen-basha-37a8b710a">AmeenBasha M K</a>

Revision History

• 2025-11-20: Information published.
• 2025-11-25: The following revisions have been made: 1) In the Security Updates table, corrected the impact entries to Remote Code Execution. 2) The CVSS scores have been updated. These are informational changes only. Customers who have successfully installed the update do not need to take any further action.