HIGH Patch AvailableCVE-2026-22417

GitHub Copilot Workspace Vulnerable to Container Escape via Malicious Markdown

Discovered 20 January 2026 6 views

Overview

A vulnerability was discovered in the GitHub Copilot Workspace preview that allowed for container escape and arbitrary code execution on the underlying infrastructure. The flaw resided in how the Workspace environment processed and rendered user-provided markdown files, specifically within `.md` files in the project's root. An attacker could craft a malicious markdown file containing a specially formatted `iframe` or `object` tag with a `src` attribute pointing to a crafted SVG file. When a user started a new Copilot Workspace session with this repository, the service's internal rendering engine would attempt to process the markdown for the UI. The SVG parser contained a heap overflow vulnerability when handling malformed path elements. This overflow could be exploited to escape the sandboxed container in which the user's workspace was running, granting the attacker code execution on the host machine within GitHub's production environment. This could potentially lead to access to the workspaces of other users hosted on the same physical node. The issue was reported responsibly by a security researcher via GitHub's bug bounty program. GitHub responded by disabling the markdown preview feature in Workspaces temporarily, patching the underlying SVG rendering library, and implementing stricter seccomp filters on the workspace containers.

Affected Systems

GitHub Copilot Workspace (Private Beta)

Testing Guide

This vulnerability was patched on the server side by GitHub and is no longer testable by external users. The original proof-of-concept involved creating a repository with two files: 1. `README.md` containing: `<iframe src="poc.svg" width="1000" height="1000"></iframe>` 2. `poc.svg` containing the exploit payload for the SVG parser. 3. Opening this repository in a GitHub Copilot Workspace session would trigger the exploit on GitHub's backend.

Mitigation Steps

1. **No User Action Required (Service-Side):** GitHub has patched its infrastructure. The vulnerability was on the service side, not in the user's client. 2. **Audit Project Files:** As a best practice, do not clone or open Copilot Workspaces from untrusted repositories. Always review repository contents, especially configuration and documentation files, for suspicious content before use. 3. **Use Trusted Base Images:** When defining a custom `devcontainer.json`, ensure you are using official and verified base images for your development environment to minimize the attack surface.

Patch Details

The vulnerability was patched by GitHub's infrastructure team on January 21, 2026. No client-side update is necessary.

Sources

← Back to vulnerabilities