Detections
Analytics

Security Update for Microsoft Visual Studio Code CoPilot Chat Extension (November 2025)

high Nessus Plugin ID 276924

Language:

Synopsis

The remote host has an application installed that is missing a security update.

Description

The Microsoft Visual Studio Code CoPilot Chat Extension prior to version 0.32.5. It is, therefore, affected by multiple vulnerabilities.

 - This vulnerability is a command injection flaw in the Visual Studio Code Copilot Chat Extension, where improper handling of special characters in user-controlled input allows an attacker to inject and execute arbitrary system commands remotely, leading to full compromise of the developer’s environment through unauthorized code execution over the network (CVE-2025-62222).

 - This vulnerability is a path traversal and security feature bypass issue in the GitHub Copilot Chat extension for Visual Studio Code, where improper pathname restrictions allow a local, low-privileged attacker to interact with files outside the intended workspace, potentially exposing or altering sensitive code, configuration files, or credentials when the user interacts with the extension, ultimately resulting in high confidentiality and integrity impact (CVE-2025-62449).

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Update the Microsoft Visual Studio Code CoPilot Chat Extension to version 0.32.5 or later.

See Also

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62222

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62449

Plugin Details

Severity: High

ID: 276924

File Name: microsoft_visual_studio_code_CoPilot_0_32_5.nasl

Version: 1.1

Type: local

Agent: windows

Family: Windows

Published: 11/26/2025

Updated: 11/26/2025

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v3

Risk Factor: High

Base Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Vulnerability Information

CPE: cpe:/a:microsoft:github_copilot_chat, cpe:/a:microsoft:visual_studio_code

Required KB Items: installed_sw/Microsoft Visual Studio Code

Patch Publication Date: 11/11/2025

Vulnerability Publication Date: 11/11/2025

Reference Information

CVE: CVE-2025-62222, CVE-2025-62449

IAVA: 2025-A-0849