CVE-2026-25931
Remote Code Execution via Trusted Workspace Bypass in vscode-spell-checker
Publication date: 2026-02-09
Last updated on: 2026-02-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| streetsidesoftware | vscode_spell_checker | to 4.5.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
| CWE-807 | The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism. |
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
Can you explain this vulnerability to me?
The vulnerability exists in the vscode-spell-checker extension prior to version 4.5.4. The extension's DocumentSettings._determineIsTrusted method treats the configuration value cSpell.trustedWorkspace as the authoritative trust flag, which defaults to true and is read from workspace configuration each time settings are fetched.
Because the code coerces any truthy value to true and forwards it to ConfigLoader.setIsTrusted without consulting the actual VS Code workspace-trust state, an untrusted workspace can keep this flag true and place a malicious .cspell.config.js file.
When the workspace is opened, the extension host executes this attacker-controlled Node.js code with the user's privileges, leading to potential code execution.
This vulnerability was fixed in version 4.5.4 of the extension.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary Node.js code on your machine with the same privileges as the user running the vscode-spell-checker extension.
An attacker can place a malicious .cspell.config.js file in an untrusted workspace, and when you open that workspace, the malicious code will run.
This can lead to full compromise of your user environment, including data theft, system manipulation, or further malware installation.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should upgrade vscode-spell-checker to version 4.5.4 or later, where the issue is fixed.
Avoid opening untrusted workspaces that might contain malicious .cspell.config.js files, as these can execute attacker-controlled Node.js code with your user privileges.