Description
A remote code execution vulnerability exists in VS Code 1.99.0 and earlier versions where another user within the same group could edit the $ZDOTDIR and have extra code executed in the integrated zshell.
Patches
The fix is available starting with VS Code 1.99.1. The fix (2f2e2c4) mitigates this attack by setting the sticky bit and remove group and other permissions to restrict the folder to the user that created it.
Workarounds
Disable shell integration in VS Code by setting "terminal.integrated.shellIntegration.enabled": false or do not open a zshell within VS Code.
References
Description
A remote code execution vulnerability exists in VS Code 1.99.0 and earlier versions where another user within the same group could edit the $ZDOTDIR and have extra code executed in the integrated zshell.
Patches
The fix is available starting with VS Code 1.99.1. The fix (2f2e2c4) mitigates this attack by setting the sticky bit and remove group and other permissions to restrict the folder to the user that created it.
Workarounds
Disable shell integration in VS Code by setting
"terminal.integrated.shellIntegration.enabled": falseor do not open a zshell within VS Code.References