cbcvebase.
CVE-2020-1481
published 2020-07-14

CVE-2020-1481: A remote code execution vulnerability exists in the ESLint extension for Visual Studio Code when it validates source code after opening a project, aka 'Visual…

PriorityP261high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
23.56%
97.5th percentile
A remote code execution vulnerability exists in the ESLint extension for Visual Studio Code when it validates source code after opening a project, aka 'Visual Studio Code ESLint Extention Remote Code Execution Vulnerability'.

Affected

3 ranges
VendorProductVersion rangeFixed in
microsofteslint< 2.1.72.1.7
microsoftmicrosoft_visual_studio_code_eslint_extension
msrcmicrosoft_visual_studio_code_eslint_extension

Detection & IOCsextracted from sources · hover to see the quote

  • Exploitation requires the victim to clone a repository and open it in Visual Studio Code — monitor for ESLint extension activity immediately after workspace/project open events, especially execution of unexpected child processes spawned by the ESLint extension host.
  • The vulnerability is triggered during source code validation after opening a project — alert on ESLint extension process spawning unusual or unexpected processes at workspace load time.
  • The root cause is improper handling of environment variables by the ESLint VS Code extension — inspect repository-supplied configuration files (e.g., .eslintrc, package.json) for malicious NODE_OPTIONS, PATH, or other environment variable overrides that could hijack execution.
  • ·The affected component is the ESLint extension for Visual Studio Code (publisher: dbaeumer). Ensure the extension is updated to the patched version available on the VS Code Marketplace.
  • ·Risk is elevated when the current user has administrative rights, as successful exploitation would grant the attacker full system control.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_msrc8.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.