Msrc Microsoft Visual Studio 2019 Version 16.11 vulnerabilities

CVE-2025-55240 [HIGH] CWE-284 Visual Studio Elevation of Privilege Vulnerability Visual Studio Elevation of Privilege Vulnerability Description: Improper access control in Visual Studio allows an authorized attacker to elevate privileges locally. FAQ: According to the CVSS metric, user interaction is required (UI:R) and privileges required is Low (PR:L). What does that mean for this vulnerability? An authenticated attacker could place a malicious file on the path to the project directory and t

CVE-2025-49739 [HIGH] CWE-59 Visual Studio Elevation of Privilege Vulnerability Visual Studio Elevation of Privilege Vulnerability Description: Improper link resolution before file access ('link following') in Visual Studio allows an unauthorized attacker to elevate privileges over a network. FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exploited this vulnerability could gain SYSTEM privileges. Visual Studio: V

CVE-2025-46334 [HIGH] GitHub: CVE-2025-46334 Git Malicious Shell Vulnerability GitHub: CVE-2025-46334 Git Malicious Shell Vulnerability Description: CVE-2025-46334 is regarding a vulnerability in Git GUI (Windows only) where a malicious repository can ship versions of sh.exe or typical textconv filter programs such as astextplain. On Windows, path lookup can find such executables in the worktree. These programs are invoked when the user selects "Git Bash" or "Browse Files" from the menu. GitHub

CVE-2025-27614 [HIGH] GitHub: CVE-2025-27614 Gitk Arbitrary Code Execution Vulnerability GitHub: CVE-2025-27614 Gitk Arbitrary Code Execution Vulnerability Description: CVE-2025-27614 is regarding a vulnerability in Gitk where a Git repository can be crafted in such a way that a user who has cloned the repository can be tricked into running any script supplied by the attacker by invoking gitk filename, where filename has a particular structure. GitHub created this CVE on their behalf. The docum

CVE-2025-48384 [HIGH] GitHub: CVE-2025-48384 Git Symlink Vulnerability GitHub: CVE-2025-48384 Git Symlink Vulnerability Description: CVE-2025-48384 is regarding a vulnerability in Git where when reading a config value, Git strips any trailing carriage return and line feed (CRLF). When writing a config entry, values with a trailing CR are not quoted, causing the CR to be lost when the config is later read. When initializing a submodule, if the submodule path contains a trailing CR, the altered p

CVE-2025-46835 [HIGH] GitHub: CVE-2025-46835 Git File Overwrite Vulnerability GitHub: CVE-2025-46835 Git File Overwrite Vulnerability Description: CVE-2025-46835 is regarding a vulnerability in Git GUI where when a user clones an untrusted repository and is tricked into editing a file located in a maliciously named directory in the repository, then Git GUI can create and overwrite any writable file. GitHub created this CVE on their behalf. The documented Visual Studio updates incorporate update

CVE-2025-48385 [HIGH] GitHub: CVE-2025-48385 Git Protocol Injection Vulnerability GitHub: CVE-2025-48385 Git Protocol Injection Vulnerability Description: CVE-2025-48385 is regarding a vulnerability in Git where when cloning a repository Git knows to optionally fetch a bundle advertised by the remote server, which allows the server-side to offload parts of the clone to a CDN. The Git client does not perform sufficient validation of the advertised bundles, which allows the remote side to perform

CVE-2025-48386 [MEDIUM] GitHub: CVE-2025-48386 Git Credential Helper Vulnerability GitHub: CVE-2025-48386 Git Credential Helper Vulnerability Description: CVE-2025-48386 is regarding a vulnerability in Git where the wincred credential helper uses a static buffer (target) as a unique key for storing and comparing against internal storage. This credential helper does not properly bounds check the available space remaining in the buffer before appending to it with wcsncat(), leading to potential b

CVE-2025-27613 [LOW] GitHub: CVE-2025-27613 Gitk Arguments Vulnerability GitHub: CVE-2025-27613 Gitk Arguments Vulnerability Description: CVE-2025-27613 is regarding a vulnerability in Gitk where when a user clones an untrusted repository and runs Gitk without additional command arguments, any writable file can be created and truncated. The option "Support per-file encoding" must have been enabled. The operation "Show origin of this line" is affected as well, regardless of the option being enab

CVE-2025-32702 [HIGH] CWE-77 Visual Studio Remote Code Execution Vulnerability Visual Studio Remote Code Execution Vulnerability Description: Improper neutralization of special elements used in a command ('command injection') in Visual Studio allows an unauthorized attacker to execute code locally. FAQ: According to the CVSS metric, the attack vector is local (AV:L). Why does the CVE title indicate that this is a remote code execution? The word Remote in the title refers to the location of the

CVE-2025-32703 [MEDIUM] CWE-1220 Visual Studio Information Disclosure Vulnerability Visual Studio Information Disclosure Vulnerability Description: Insufficient granularity of access control in Visual Studio allows an authorized attacker to disclose information locally. FAQ: What type of information could be disclosed by this vulnerability? Exploiting this vulnerability could allow the disclosure of certain memory address within kernel space. Knowing the exact location of kernel memory could b

CVE-2025-24998 [HIGH] CWE-427 Visual Studio Elevation of Privilege Vulnerability Visual Studio Elevation of Privilege Vulnerability Description: Uncontrolled search path element in Visual Studio allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could gain administrator privileges. FAQ: According to the CVSS metric, the attack ve

CVE-2025-25003 [HIGH] CWE-427 Visual Studio Elevation of Privilege Vulnerability Visual Studio Elevation of Privilege Vulnerability Description: Uncontrolled search path element in Visual Studio allows an authorized attacker to elevate privileges locally. FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? The attacker would gain the rights of the user that is running the affected application. FAQ: According to the CVSS metric, user interaction is

CVE-2025-21206 [HIGH] CWE-427 Visual Studio Installer Elevation of Privilege Vulnerability Visual Studio Installer Elevation of Privilege Vulnerability FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of this vulnerability requires that a local user executes the Visual Studio installer FAQ: What privileges could be gained by an attacker who successfully exploited this vulnerability? An attacker who successfully exp

CVE-2023-32002 [CRITICAL] HackerOne: CVE-2023-32002 Node.js `Module._load()` policy Remote Code Execution Vulnerability HackerOne: CVE-2023-32002 Node.js `Module._load()` policy Remote Code Execution Vulnerability NIST NVD Details: https://nvd.nist.gov/vuln/detail/CVE-2023-32002 FAQ: Why is this HackerOne CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Node.js software which is consumed by Microsoft Visual Studio. It is being documented in the Security U

CVE-2025-21172 [HIGH] CWE-190 .NET and Visual Studio Remote Code Execution Vulnerability .NET and Visual Studio Remote Code Execution Vulnerability FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of this vulnerability requires that an attacker convinces a user to open a maliciously crafted package file in Visual Studio. FAQ: According to the CVSS metric, the attack complexity is high (AC:H). What does that mean fo

CVE-2025-21178 [HIGH] CWE-122 Visual Studio Remote Code Execution Vulnerability Visual Studio Remote Code Execution Vulnerability FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of this vulnerability requires that an attacker convinces a user to open a maliciously crafted package file in Visual Studio. Visual Studio: Visual Studio Microsoft: Microsoft Customer Action Required: Yes Impact: Remote Code Execution

CVE-2025-21176 [HIGH] CWE-126 .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability .NET, .NET Framework, and Visual Studio Remote Code Execution Vulnerability FAQ: According to the CVSS metric, user interaction is required (UI:R). What interaction would the user have to do? Exploitation of this vulnerability requires that an attacker convinces a user to open a maliciously crafted package file in Visual Studio. .NET, .NET Framework, Visual Studio: .NET, .NET Framework, Vi

CVE-2024-50338 [HIGH] CWE-20 GitHub: CVE-2024-50338 Malformed URL allows information disclosure through git-credential-manager GitHub: CVE-2024-50338 Malformed URL allows information disclosure through git-credential-manager FAQ: Why is this GitHub CVE included in the Security Update Guide? The vulnerability assigned to this CVE is in Git for Windows software which is consumed by Microsoft Visual Studio. It is being documented in the Security Update Guide to announce that the latest builds of V

CVE-2024-43590 [HIGH] CWE-284 Visual C++ Redistributable Installer Elevation of Privilege Vulnerability Visual C++ Redistributable Installer Elevation of Privilege Vulnerability FAQ: What privileges could be gained by an attacker who successfully exploited the vulnerability? An attacker who successfully exploited this vulnerability could create, modify, or delete files in the security context of the NT AUTHORITY\SYSTEM account. Visual C++ Redistributable Installer: Visual C++ Redistributable I