Impact
This is a Remote Code Execution Vulnerability that affects all versions of Prisma VS Code extension older than 2.20.0.
If a custom binary path for the Prisma format binary is set in VS Code Settings, for example by downloading a project that has a .vscode/settings.json file that sets a value for "prismaFmtBinPath".
That custom binary is executed when auto-formatting is triggered by VS Code or when validation checks are triggered after each keypress on a *.prisma file.
Patches
Fixed in
Workarounds
Users can
- edit or delete the
.vscode/settings.json file
- check if the binary is malicious and delete it
References
Similar CVE: Visual Studio Code ESLint Extension Remote Code Execution Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27081
Pull Request for Prisma VS Code extension closing this vulnerability #750
Acknowledgements
For more information
If you have any questions or comments about this advisory:
Ry0taK Analyst
Impact
This is a Remote Code Execution Vulnerability that affects all versions of Prisma VS Code extension older than 2.20.0.
If a custom binary path for the Prisma format binary is set in VS Code Settings, for example by downloading a project that has a
.vscode/settings.jsonfile that sets a value for "prismaFmtBinPath".That custom binary is executed when auto-formatting is triggered by VS Code or when validation checks are triggered after each keypress on a
*.prismafile.Patches
Fixed in
Workarounds
Users can
.vscode/settings.jsonfileReferences
Similar CVE: Visual Studio Code ESLint Extension Remote Code Execution Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27081
Pull Request for Prisma VS Code extension closing this vulnerability #750
Acknowledgements
For more information
If you have any questions or comments about this advisory: