HIGH Patch Available

GitHub Copilot Workspace Sandbox Escape via Malicious Markdown Rendering

Discovered 1 August 2025 6 views

Overview

Researchers at Trail of Bits discovered a critical sandbox escape vulnerability in the preview feature of GitHub Copilot Workspace. This feature is intended to provide a secure, isolated environment for AI-driven code modification and task execution. The vulnerability existed in how the VS Code extension for Copilot Workspace rendered Markdown files for preview. An attacker could create a malicious repository containing a specially crafted `README.md` file. This file would embed an `<iframe>` tag using the `srcdoc` attribute to contain HTML and JavaScript. When a developer opened this malicious repository and asked Copilot Workspace to perform a task that triggered a preview of the README file (e.g., 'summarize this project'), the JavaScript payload within the iframe would execute. Crucially, this execution occurred in the context of the main VS Code webview, not the isolated sandbox environment. This allowed the script to access and abuse the powerful VS Code API, enabling it to execute arbitrary commands on the developer's host machine with the user's permissions. The impact was a complete compromise of the developer's workstation, allowing for code theft, credential harvesting, or further network intrusion, all originating from a seemingly safe, sandboxed AI assistant.

Affected Systems

GitHub Copilot Workspace in VS Code < v1.1.25

Testing Guide

1. Check your installed VS Code version of the 'GitHub Copilot' extension. If the version is below `1.1.25` and you use the Workspace feature, you are likely vulnerable. 2. (Caution: This is a live exploit) Create a repository with a `README.md` file containing the exploit payload described in the Trail of Bits research blog post. 3. Open this repository in a sandboxed or virtual machine environment running the vulnerable extension version. 4. Ask Copilot Workspace a question that would cause it to render the README, like 'What is this repo about?'. 5. Observe if the payload executes a command on the host (e.g., opening a calculator application).

Mitigation Steps

1. **Update VS Code Extension:** Ensure the GitHub Copilot extension (and related extensions like GitHub Copilot Chat) is updated to the latest version via the VS Code marketplace. 2. **Disable Workspace Previews (if concerned):** As a temporary measure, disable features that automatically render or preview files from untrusted sources within the IDE. 3. **Vet Untrusted Repositories:** Exercise caution before cloning and opening repositories from unknown or untrusted sources, even with tools that promise sandboxing. 4. **Run IDE in a VM:** For maximum security when dealing with untrusted code, run your entire development environment inside a virtual machine to isolate it from your host operating system.

Patch Details

The vulnerability was addressed by GitHub in version 1.1.25 of the VS Code extension by properly sandboxing the Markdown rendering process.

Sources

← Back to vulnerabilities