Description
Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to execute code locally.
Published: 2025-12-09
Score: 8.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Improper neutralization of special elements used in a command, commonly known as command injection, is present in the GitHub Copilot plugin for JetBrains IDEs. This flaw allows an unauthorized attacker to construct input that is not properly sanitized and thereby cause the plugin to execute arbitrary shell commands on the host machine. The vulnerability is categorized as CWE‑77 and results in both confidentiality and integrity violations, permitting the attacker to run any code or scripts with the privileges of the user running the IDE.

Affected Systems

The affected product is the Microsoft GitHub Copilot Plugin for JetBrains IDEs. No specific versions are listed in the advisory, so any installation of the plugin, regardless of patch level, may be vulnerable unless a later update explicitly addresses this issue.

Risk and Exploitability

The CVSS score of 8.4 classifies this as a high‑severity vulnerability. EPSS indicates a very low probability of exploitation, yet the flaw remains unlisted in KEV, meaning no public exploitation has been reported. The likely attack vector is local; an attacker who can supply or influence input to the plugin—such as a malicious user or compromised extension—can trigger the command injection, leading to local code execution. Even though exploitation is not widespread, the potential impact is severe, justifying prompt remediation.

Generated by OpenCVE AI on April 20, 2026 at 15:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest update for the GitHub Copilot Plugin available from Microsoft to eliminate the command injection flaw.
  • If an update is not immediately available, temporarily disable the GitHub Copilot plugin in all JetBrains IDEs to prevent the vulnerability from being exploited.
  • Monitor Microsoft’s security portal and JetBrains release notes for further advisories and patch release announcements.

Generated by OpenCVE AI on April 20, 2026 at 15:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 07 Jan 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft github Copilot
CPEs cpe:2.3:a:microsoft:github_copilot:*:*:*:*:*:jetbrains:*:*
Vendors & Products Microsoft github Copilot

Tue, 09 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Description Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to execute code locally.
Title GitHub Copilot for Jetbrains Remote Code Execution Vulnerability
First Time appeared Microsoft
Microsoft gihub Copilot Plugin For Jetbrains Ides
Weaknesses CWE-77
CPEs cpe:2.3:a:microsoft:gihub_copilot_plugin_for_jetbrains_ides:*:*:*:*:*:*:*:*
Vendors & Products Microsoft
Microsoft gihub Copilot Plugin For Jetbrains Ides
References
Metrics cvssV3_1

{'score': 8.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C'}

Subscriptions

Microsoft Gihub Copilot Plugin For Jetbrains Ides Github Copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: microsoft

Published:

Updated: 2026-04-16T14:18:59.084Z

Reserved: 2025-11-06T23:40:37.277Z

Link: CVE-2025-64671

cve-icon Vulnrichment

Updated: 2026-01-07T17:01:57.986Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-09T18:16:06.417

Modified: 2025-12-12T13:57:32.803

Link: CVE-2025-64671

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T15:45:10Z

Weaknesses