Enterprise Security in the Agentic AI Era

CVE-2025-62453 — GitHub Copilot / VS Code Prompt Injection (Security Feature Bypass)

5 min read

CVE-2025-62453 — GitHub Copilot / VS Code Prompt Injection (Security Feature Bypass)

Key insight

NVD’s description for this CVE is a single sentence. The deeper attack mechanism documented here is inferred from the related GitHub Security Blog post on VS Code prompt injection defenses (published August 25 2025, predating the CVE and carrying no CVE number of its own). Readers should treat the attack-vector detail as “same class, best available public evidence” rather than a precise one-to-one mapping to the CVE record.

Summary

CVE-2025-62453 is a Microsoft-sourced vulnerability affecting GitHub Copilot Chat and Visual Studio Code. The NVD record (published 2025-11-11, last modified 2025-11-14) describes the weakness in one sentence: “Improper validation of generative AI output in GitHub Copilot and Visual Studio Code allows an authorized attacker to bypass a security feature locally.” The CWE assigned is CWE-693 (Protection Mechanism Failure). No CVSS 4.0 score had been assigned by NVD at the time of fetch.

The broader class of attack this CVE belongs to was publicly documented by GitHub Security Lab on 2025-08-25 in a blog post covering multiple indirect prompt-injection vulnerabilities discovered during an internal security assessment of VS Code agent mode. Those findings — which were addressed in coordination with the VS Code team — showed that malicious instructions embedded in external data sources (e.g., a GitHub Issue or pull request) could be ingested by Copilot’s agent mode and cause it to perform sensitive tool calls (file reads, credential exfiltration, arbitrary command execution) without user confirmation, bypassing the confirmation-gate protection mechanism.

This incident is cited by Andrew Bullen in his “Breaking the Lethal Trifecta” talk as one of four 2025 prompt-injection incidents motivating Stripe’s containment architecture around agentic AI systems.

Attack Vector

The attack exploits the indirect prompt injection surface created when VS Code’s agent mode fetches external content (GitHub Issues, pull requests, web pages) and includes that content as role: "tool" output in the LLM’s conversation context. Even though VS Code structurally separates tool output from system and user messages in the JSON request, the LLM backend blends all roles into a single text prompt for inference. State-of-the-art models — including GPT-4.1, Gemini 2.5 Pro, and Claude Sonnet 4 — were found to be susceptible to following malicious instructions embedded in tool output rather than treating it as inert data.

The GitHub Security Lab post documents three concrete exploitation chains within this class:

  1. Credential exfiltration via fetch_webpage tool — A regex-based trusted-URL check (rather than proper URL parsing) allowed an attacker-controlled URL like https://attacker.com/.github.com/x to be treated as trusted. A malicious GitHub Issue instructed the agent to read the local GitHub OAuth token file (~/.config/github-copilot/apps.json) and silently exfiltrate it via the fetch tool — all without user confirmation.

  2. Credential exfiltration via Simple Browser tool — The embedded Simple Browser tool, intended for local site testing but capable of loading external URLs, was similarly abused without triggering the confirmation gate.

  3. Arbitrary command execution via editFile tool + MCP config — Because the editFile tool auto-saves changes to disk before the user can approve or reject them, and because VS Code reloads mcp.json / settings.json on change, an attacker-crafted issue could overwrite MCP server configuration to inject an arbitrary shell command that executed immediately — before any review dialog appeared. Johann Rehberger (EmbraceTheRed) and Markus Vervier (Persistent Security) independently reported variants of this pattern.

A key amplifier noted in the blog: VS Code sets LLM temperature to 0 for agent-mode requests, which makes prompt-injection exploits highly reproducible once a working payload is found.

Timeline

  • 2025-05-28 (approx.) — GitHub Security Lab assessment conducted; exploits demonstrated internally.
  • 2025-08-25 — GitHub Security Blog publishes “Safeguarding VS Code against prompt injections,” disclosing the vulnerability class and documenting fixes already shipped. No CVE number assigned to this disclosure.
  • 2025-11-11 — CVE-2025-62453 published to NVD (source: Microsoft Corporation). Single-sentence description; CWE-693 assigned.
  • 2025-11-14 — CVE last modified in NVD. No CVSS score provided at time of fetch.

Defensive Lessons

Confirmation gates must be architecturally enforced, not just UI conventions. The core failure pattern here is that protection mechanisms (user confirmation dialogs) could be bypassed because the enforcement was not deterministic — tool calls executed before confirmation under certain conditions, and some tools lacked confirmation requirements entirely. This maps directly to the Lethal Trifecta framing: an agent with access to sensitive tools + external data ingestion + insufficient confirmation gates creates a compound exploitable condition.

Specific controls demonstrated to matter in this incident:

  • URL parsing correctness — Regex-based trusted-domain checks are insufficient; proper URL parsing is required to prevent bypass via path-embedded domain names.
  • Mandatory confirmation for network egress — Any tool that can make outbound requests to novel URLs should require explicit user confirmation regardless of the origin of the instruction.
  • File-write isolation — Auto-saving edits to disk before user review creates a TOCTOU-style window. Agents should not write outside the workspace, and configuration files should be protected by an additional confirmation layer.
  • Sandboxing — Running VS Code agent mode inside a Developer Container or GitHub Codespace limits blast radius even when all other controls fail.
  • Tool-scope minimization — Restricting the set of tools available to the LLM (e.g., disabling fetch_webpage or Simple Browser in untrusted contexts) reduces attack surface.

The VS Code team’s response — decoupling trusted-URL logic from the fetch tool, adding universal confirmation for novel URLs, restricting editFile to workspace scope, and adding pre-trust modals for MCP servers — illustrates a defense-in-depth approach consistent with the containment architectures discussed in Bullen’s Stripe talk.

Gap

The exact scope of CVE-2025-62453 relative to the multiple sub-vulnerabilities documented in the August 2025 blog post is unclear. The CVE record does not specify which tool or execution path it covers. It is possible the CVE tracks only one of the three chains documented publicly, or covers all of them as a single record. The MSRC advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-62453 may contain additional specificity not captured in the NVD scrape.

Sources

See frontmatter sources:.

Graph View

Backlinks