CVE-2025-62449 — Path Traversal in Microsoft Visual Studio Code Copilot Chat Extension

CWE-22 — Path Traversal4 documents4 sources

Severity

6.8MEDIUMNVD

EPSS

0.0%

top 89.93%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Microsoft Visual Studio Code Copilot Chat Extension Microsoft Github Copilot Chat

Timeline

PublishedNov 11

Description

Improper limitation of a pathname to a restricted directory ('path traversal') in Visual Studio Code CoPilot Chat Extension allows an authorized attacker to bypass a security feature locally.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:LExploitability: 1.3 | Impact: 5.5

Affected Packages2 packages

▶CVEListV5microsoft/microsoft_visual_studio_code_copilot_chat_extension0.27.0 — 0.32.5

▶NVDmicrosoft/github_copilot_chat< 0.32.0

🔴Vulnerability Details

GHSA

GHSA-mc3j-5pr5-wj7r: Improper limitation of a pathname to a restricted directory ('path traversal') in Visual Studio Code CoPilot Chat Extension allows an authorized attac↗2025-11-11

▶

CVEList

Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability↗2025-11-11

▶

📋Vendor Advisories

Microsoft

Microsoft Visual Studio Code CoPilot Chat Extension Security Feature Bypass Vulnerability↗2025-11-11

▶