CVE-2025-62222 — Improper Input Validation in Microsoft Visual Studio Code Copilot Chat Extension

CWE-20 — Improper Input Validation CWE-77 — Command Injection4 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.1%

top 67.77%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Visual Studio Code Copilot Chat Extension Microsoft Github Copilot Chat

Timeline

PublishedNov 11

Description

Improper neutralization of special elements used in a command ('command injection') in Visual Studio Code CoPilot Chat Extension allows an unauthorized attacker to execute code over a network.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 2.8 | Impact: 5.9

Affected Packages2 packages

▶CVEListV5microsoft/microsoft_visual_studio_code_copilot_chat_extension0.27.0 — 0.32.5

▶NVDmicrosoft/github_copilot_chat< 0.32.5

🔴Vulnerability Details

CVEList

Agentic AI and Visual Studio Code Remote Code Execution Vulnerability↗2025-11-11

▶

GHSA

GHSA-hcvg-jrfj-vhqx: Improper neutralization of special elements used in a command ('command injection') in Visual Studio Code CoPilot Chat Extension allows an unauthorize↗2025-11-11

▶

📋Vendor Advisories

Microsoft

Agentic AI and Visual Studio Code Remote Code Execution Vulnerability↗2025-11-11

▶