Microsoft has disclosed two crucial safety vulnerabilities in GitHub Copilot and Visible Studio that might enable attackers to bypass important safety features.
Each vulnerabilities had been launched on November 11, 2025, and have been assigned an Vital severity ranking.
Path Traversal Vulnerability in Visible Studio
The primary vulnerability, tracked as CVE-2025-62449, stems from improper limitations in pathname dealing with and is assessed as a path traversal flaw (CWE-22).
This weak point permits attackers to entry recordsdata and directories outdoors of restricted areas on a neighborhood system.
With a CVSS rating of 6.8, this vulnerability requires low assault complexity and native entry with restricted privileges.
The risk actor wants person interplay to set off the vulnerability, however as soon as exploited, may obtain excessive confidentiality and integrity influence, together with restricted availability influence.
The assault vector is native, that means the attacker should have some degree of entry to the affected system.
CVE IDProductImpactWeaknessCVSS ScoreCVE-2025-62449Visual StudioSecurity Characteristic BypassCWE-22: Path Traversal6.8CVE-2025-62453GitHub CopilotSecurity Characteristic BypassCWE-1426: AI Output Validation5.0
The chance intensifies, as many builders use Visible Studio as their major growth atmosphere, probably exposing delicate supply code and configuration recordsdata to unauthorized entry.
AI Output Validation Flaw in GitHub Copilot
The second vulnerability, CVE-2025-62453, entails improper validation of generative AI output (CWE-1426) and a failure within the safety mechanism (CWE-693).
This flaw particularly targets GitHub Copilot’s AI-generated code options.
With a CVSS rating of 5.0, this vulnerability may enable attackers to govern AI output to bypass safety checks or inject malicious code suggestions.
This vulnerability is especially regarding as builders typically belief and implement code options from AI assistants with out thorough scrutiny.
Attackers exploiting this flaw may inject backdoors or safety flaws instantly into initiatives by means of compromised code options. Each vulnerabilities require person interplay and native system entry, however carry important dangers for growth groups.
Microsoft has launched patches by means of official CVE channels, and builders utilizing GitHub Copilot and Visible Studio ought to apply updates instantly.
The disclosure highlights rising safety considerations round AI-assisted growth instruments and the significance of validating generated code earlier than implementation.
Organizations ought to assessment their growth practices and safety insurance policies surrounding AI code era instruments.
Growth groups are suggested to test Microsoft’s official safety advisories for obtainable patches and to implement correct code assessment processes for all AI-generated options.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
