Security Update for Microsoft Visual Studio Code (February 2025)

🗓️ 11 Feb 2025 00:00:00Reported by TenableType

Microsoft Visual Studio Code versions before 1.97.1 are vulnerable to multiple attacks on Windows.

Reporter	Title	Published	Views	Family All 30
BDU FSTEC	The vulnerability of Visual Studio Code’s JS Debug editor, related to vulnerabilities in access control, allows attackers to escalate their privileges.	26 Feb 202500:00	–	bdu_fstec
BDU FSTEC	The vulnerability of Microsoft Visual Studio Code’s source editor, related to an uncontrolled search path element, allows attackers to escalate their privileges.	28 Feb 202500:00	–	bdu_fstec
FreeBSD	vscode -- multiple vulnerabilities	11 Feb 202500:00	–	freebsd
Circl	CVE-2025-24039	11 Feb 202518:08	–	circl
Circl	CVE-2025-24042	11 Feb 202518:08	–	circl
CNNVD	Microsoft Visual Studio Code 代码问题漏洞	11 Feb 202500:00	–	cnnvd
CNNVD	Microsoft Visual Studio Code 访问控制错误漏洞	11 Feb 202500:00	–	cnnvd
CVE	CVE-2025-24039	11 Feb 202517:58	–	cve
CVE	CVE-2025-24042	11 Feb 202517:58	–	cve
Cvelist	CVE-2025-24039 Visual Studio Code Elevation of Privilege Vulnerability	11 Feb 202517:58	–	cvelist

Source	Link
code	www.code.visualstudio.com/updates/v1_97
github	www.github.com/microsoft/vscode/issues/240406
github	www.github.com/microsoft/vscode/issues/240407
cve	www.cve.mitre.org/cgi-bin/cvename.cgi
cve	www.cve.mitre.org/cgi-bin/cvename.cgi

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(216141);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2025/06/23");

  script_cve_id("CVE-2025-24039", "CVE-2025-24042");
  script_xref(name:"IAVA", value:"2025-A-0108-S");

  script_name(english:"Security Update for Microsoft Visual Studio Code (February 2025)");

  script_set_attribute(attribute:"synopsis", value:
"The remote host has an application installed that is missing a security update.");
  script_set_attribute(attribute:"description", value:
"The version of Microsoft Visual Studio Code installed on the remote host is prior to 1.97.1. It is, therefore,
affected by multiple vulnerabilities:

  - An elevation of privilege vulnerability exists in VS Code 1.97.0 and earlier versions for users of the code
    serve-web command on Windows. An attacker can place an evil version of the node module that is optionally
    required by one of the dependencies for the Visual Studio Code remote server in a world writable directory like
    C:\node_modules to get it executed under the privileges of the current user. (CVE-2025-24039)

  - A vulnerability exists in VS Code 1.97.0 and earlier versions where an attacker with write permissions on certain
    common directories can place a binary that would be executed automatically by the JavaScript debugger. This
    requires an attacker to be able to create and modify files on the user's machine. (CVE-2025-24042)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://code.visualstudio.com/updates/v1_97");
  script_set_attribute(attribute:"see_also", value:"https://github.com/microsoft/vscode/issues/240406");
  script_set_attribute(attribute:"see_also", value:"https://github.com/microsoft/vscode/issues/240407");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Microsoft Visual Studio Code 1.97.1 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:S/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2025-24042");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2025/02/11");
  script_set_attribute(attribute:"patch_publication_date", value:"2025/02/11");
  script_set_attribute(attribute:"plugin_publication_date", value:"2025/02/11");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:visual_studio_code");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_set_attribute(attribute:"thorough_tests", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Misc.");

  script_copyright(english:"This script is Copyright (C) 2025 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("os_fingerprint.nasl", "microsoft_visual_studio_code_installed.nbin", "microsoft_visual_studio_code_win_user_installed.nbin", "microsoft_visual_studio_code_linux_installed.nbin", "macosx_microsoft_visual_studio_code_installed.nbin");
  script_require_ports("installed_sw/Microsoft Visual Studio Code", "installed_sw/Visual Studio Code");

  exit(0);
}

include('vdf.inc');

# @tvdl-content
var vuln_data = {
  'metadata': {'spec_version': '1.0'},
  'checks': [
    {
      'product': {'name': 'Microsoft Visual Studio Code', 'type': 'app'},
      'requires': [ {'scope': 'target', 'match': {'os': 'windows'}} ],
      'check_algorithm': 'default',
      'constraints': [
        {
          'fixed_version': '1.97.1'
        }
      ]
    },
    {
      'product': {'name': 'Visual Studio Code', 'type': 'app'},
      'requires': [ {'scope': 'target', 'match_one': {'os': ['macos', 'linux' ] } } ],
      'check_algorithm': 'default',
      'constraints': [
        {
          'fixed_version': '1.97.1'
        }
      ]
    }
  ]
};

var result = vdf::check_and_report(vuln_data:vuln_data, severity:SECURITY_WARNING);
vdf::handle_check_and_report_errors(vdf_result:result);

23 Jun 2025 00:00Current

8.3High risk

Vulners AI Score8.3

CVSS 3.17.3

EPSS0.00663

SSVC