A important safety vulnerability in GitHub Copilot and Visible Studio Code has been found that permits attackers to realize distant code execution via immediate injection assaults, probably resulting in full system compromise of builders’ machines.
The vulnerability, tracked as CVE-2025-53773, exploits GitHub Copilot’s capacity to change challenge configuration information, significantly the .vscode/settings.json file, enabling attackers to bypass safety controls and execute arbitrary instructions on the right track techniques.
Key Takeaways1. CVE-2025-53773 makes use of immediate injection to allow Copilot’s “YOLO mode”.2. Creates botnet “ZombAIs,” spreads AI viruses through Git.3. Replace Visible Studio 2022 instantly.
GitHub Copilot “YOLO Mode” Vulnerability
The vulnerability facilities round GitHub Copilot’s functionality to create and write information within the workspace with out specific consumer approval, with modifications being instantly persistent to disk somewhat than offered as reviewable diffs.
Safety researchers found that by manipulating the .vscode/settings.json file, attackers can allow what’s generally known as “YOLO mode” by including the configuration line “chat.instruments.autoApprove”: true.
This experimental function, current by default in commonplace VS Code installations, disables all consumer confirmations and grants the AI agent unrestricted entry to execute shell instructions, browse the online, and carry out different privileged operations throughout Home windows, macOS, and Linux techniques.
The assault mechanism depends on immediate injection strategies the place malicious directions are embedded in supply code information, internet pages, GitHub points, or different content material that Copilot processes.
These directions may even make the most of invisible Unicode characters to stay hidden from builders whereas nonetheless being processed by the AI mannequin.
The malicious immediate is processed, Copilot mechanically modifies the settings file to allow auto-approval mode, instantly escalating its privileges with out consumer information or consent.
Researchers efficiently demonstrated conditional immediate injection strategies that may goal particular working techniques, permitting attackers to deploy platform-specific payloads.
Full management of the developer’s host
The vulnerability permits attackers to affix compromised developer machines to botnets, creating what researchers time period “ZombAIs” – AI-controlled compromised techniques that may be remotely commanded.
Extra regarding is the potential for creating self-propagating AI viruses that may embed malicious directions in Git repositories and unfold as builders obtain and work together with contaminated code.
The vulnerability additionally permits modification of different important configuration information, comparable to .vscode/duties.json, and the addition of malicious MCP (Mannequin Context Protocol) servers, increasing the assault floor considerably.
These capabilities open the door for the deployment of malware, ransomware, info stealers, and the institution of persistent command and management channels.
Threat FactorsDetailsAffected ProductsGitHub Copilot- Visible Studio Code- Microsoft Visible Studio 2022ImpactRemote Code ExecutionExploit Conditions– Person interplay required (UI:R)- Native assault vector (AV:L)- Immediate injection supply mechanism- Goal should course of malicious contentCVSS 3.1 Score7.8 (Excessive)
Mitigations
Microsoft assigned this vulnerability a CVSS 3.1 rating of seven.8/6.8, classifying it as “Vital” severity with the weak point categorized as CWE-77 (Improper Neutralization of Particular Parts utilized in a Command).
The vulnerability was responsibly disclosed on June 29, 2025, and Microsoft confirmed the problem was already being tracked internally earlier than releasing patches as a part of the August 2025 Patch Tuesday replace.
The repair addresses the core concern by stopping AI brokers from modifying security-relevant configuration information with out specific consumer approval.
Microsoft Visible Studio 2022 model 17.14.12 contains the safety replace that mitigates this vulnerability.
Safety specialists advocate that organizations instantly replace their improvement environments and implement extra controls to forestall AI brokers from modifying their very own configuration settings.
Enhance your SOC and assist your workforce shield what you are promoting with free top-notch risk intelligence: Request TI Lookup Premium Trial.
