GitHub Copilot: Remote Code Execution via Prompt Injection (CVE-2025-53773)
embracethered.com96 points by kerng 5 hours ago
96 points by kerng 5 hours ago
I don't use VSCode or Copilot, so I'm hoping someone can answer these questions for me
- chmod: does Copilot run as the user? Who's file permissions does it respect?
- Can Copilot get root access?
- Can autoApprove be enabled via the standard interface? Making it possible to batch approve code changes along with this setting change?[0]
- Can it read settings from multiple files? (e.g. `.vscode/settings.json` and `../.vscode/settings.json`)
- How is the context being read? Is this in memory? File? Both?
- What happens when you edit the context? Are those changes seen in some log?
So I think the author is completely right that this gets much harrier when we let the LLMs do more and get multi-agent systems. What's the acceptable risk level? What are we willing to pay for that? It's easy to say "I'm just working on some dumb app" but honestly if it is popular enough why would this not be a target to create trojans? It's feasible for malicious people to sneak in malicious code, even when everyone is reviewing and acting diligently, but we place strong incentive structures around that to prevent this from happening. But I'm unconvinced we can do that with LLMs. And if we're being honest, it seems like letting LLMs do more erodes the incentive structure for the humans, so just makes it possible to be fighting two fronts...
So is it worth the cost? What are our limits?
[0] I'm thinking you turn it on, deploy your attack, turn it off, and the user then sees approval like they were expecting. Maybe a little longer or extra text but are they really watching the stream of text across the screen and watching every line? Seems easy to sneak in. I'm sure this can advance to be done silently or encoded in a way to make it look normal. Just have it take a temporary personality.
Is there some kind of an external "AI wrangler?"
With multiple AI agents simultaneously creating and editing multiple files, many devs won't be able to pick up malicious changes, even if they look at diffs. (And there are often pressures at work to cut corners.)
So far, I have only picked up agents overwriting files with instructions for them or creating instructions telling themselves to ignore some instructions in other files. (And pure laziness like disabling certain tests.) These are pretty obvious, could be prevented by changing file permissions (to a certain extent) and I use those more dangerously autonomous AI approaches for personal projects only. Would I pick up malicious changes if they were spread across many files, more sophisticated, and it was during crunch time? I don't know.
If there is some software that scans edits for AI-specific issues, doesn't live in VSCode, and isn't susceptible to simple prompt injection, I would happily give it a try.
Or we could just not have a bunch of unpredictable LLM bots running around our systems with read/write permissions...
Great point. It's actually possible for one agent to "help" another agent to run arbitrary code and vice versa.
I call it "Cross-Agent Privilege Escalation" and described in detail how such an attack might look like with Claude Code and GitHub Copilot (https://embracethered.com/blog/posts/2025/cross-agent-privil...).
Agents that can modify their own or other agents config and security settings is something to watch out for. It's becoming a common design weakness.
As more agents operate in same environment and on same data structures we will probably see more "accidents" but also possible exploits.
Maybe there's a tooling opportunity. Build some sort of local firewall that sits in front of agent calls to audit them, or at least log and track them.
I noticed that too, when working on a frontend project with hot code reloading it would immediately reflect the change even if it was still requiring review in the editor. It's convenient but also an obvious flaw that immediately turns any prompt injection into a RCE. It diligently asking me for confirmation still on every other kind of interaction feels like a dangerous false sense of security.
Why submitting this again after 2 months OP?
As mentioned in the article and in previous discussions:
> With the August Patch Tuesday release this is now fixed.
I don't want to speak for OP, but isn't the idea behind responsible disclosure to give developers time to patch an exploit before publicizing it?
From the article:
> After reporting the vulnerability on June 29, 2025 Microsoft confirmed the repro and asked a few follow up questions. A few weeks later MSRC pointed out that it is an issue they were already tracking, and that it will be patched by August. With the August Patch Tuesday release this is now fixed.
>When looking at VS Code and GitHub Copilot Agent Mode I noticed a strange behavior…
Looks like only applicable to Microsoft VS "Editor". Emacs and vim users, no worry it seems.