Arbitrary Code Execution in VS Code Code Runner via crafted workspace executorMap
CVE-2025-65715 affects the Visual Studio Code extension Code Runner, specifically version 0.12.2 per the provided advisory context, with reporting that the weakness may affect all versions. The issue is in handling of the code-runner.executorMap setting. An attacker can supply a crafted workspace or otherwise influence VS Code workspace/settings content so that Code Runner builds and executes an attacker-controlled command. In practice, this is a command-injection/arbitrary code execution condition triggered when the victim opens a malicious workspace and uses the extension in that context. The vulnerable behavior stems from trusting configuration-derived command data and passing it into execution flow without sufficient validation or hardening.
Are you exposed to this one?
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
Impact, mitigation & remediation
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
Impact
What an attacker gets, and what they’ve been doing with it.
Mitigation
If you can’t patch tonight, do this now.
.vscode/settings.json as untrusted input and review them with the same rigor as code changes. Avoid pasting configuration snippets from email, chat, or unverified repositories into settings.json. Use VS Code Workspace Trust or equivalent controls to restrict extension behavior in untrusted workspaces, and enforce extension allowlisting or disable non-essential extensions in enterprise environments until a fix is available.Remediation
Patch, then assume compromise.
code-runner.executorMap entries from user and workspace settings, including .vscode/settings.json, and audit repositories for malicious workspace configuration committed to source control.Exploits
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Affected products & vendors
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
Recent activity
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote code execution vulnerability in the VS Code 'Code Runner' extension affecting all versions, enabling attackers to execute code in the developer environment.
Remote code execution risk in the VS Code Code Runner extension where attacker-controlled VS Code/workspace settings can influence command construction/execution (command injection via settings).
A vulnerability in the VS Code Code Runner extension that can allow remote code execution in the developer environment/host.
A high-to-critical severity vulnerability affecting the Live Server Visual Studio Code extension that could enable attackers to steal local files and/or achieve remote code execution depending on exploitation path described (e.g., malicious webpages/configurations).
The version that knows your environment.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.