Description
GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a file-handler URI parameter to fetch_webpage. Therefore, exfiltration could occur if there is indirect prompt injection.
Published: 2026-06-22
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitHub Copilot 1.372.0 contains a flaw that permits the fetch_webpage tool to read files outside the designated workspace using a file-handler URI parameter. This bypasses user approval and could enable an attacker to exfiltrate sensitive files if indirect prompt injection is achieved. The weakness is characterized by file or directory traversal (CWE‑552).

Affected Systems

The vulnerability affects the GitHub Copilot extension, specifically version 1.372.0. The product is distributed by GitHub (Microsoft).

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact for the flaw that allows read access to files outside the workspace without user approval. The impact remains significant due to potential data exfiltration if indirect prompt injection is achieved. The exploit requires that an attacker can influence the Copilot input – for example through an indirect prompt injection scenario. With no EPSS data and no listing in CISA KEV, the current exploitation risk is uncertain but the potential consequences warrant prompt action.

Generated by OpenCVE AI on June 22, 2026 at 19:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GitHub Copilot to the latest version that addresses file access restrictions
  • If no patch is available, disable or remove the Copilot extension from Visual Studio Code
  • Configure VS Code settings to block or prevent the use of file-handler URIs in the Copilot chat command

Generated by OpenCVE AI on June 22, 2026 at 19:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 19:45:00 +0000

Type Values Removed Values Added
Title GitHub Copilot 1.372.0 Filesystem Access Outside Workspace via File-Handler URI

Mon, 22 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Filesystem Exfiltration via Unauthorized File-Handler URI in GitHub Copilot
Weaknesses CWE-200
CWE-284

Mon, 22 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-552
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Microsoft
Microsoft copilot
Vendors & Products Microsoft
Microsoft copilot

Mon, 22 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Title Filesystem Exfiltration via Unauthorized File-Handler URI in GitHub Copilot
Weaknesses CWE-200
CWE-284

Mon, 22 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description GitHub Copilot 1.372.0 allows filesystem access outside of a workspace folder (without user approval) via a file-handler URI parameter to fetch_webpage. Therefore, exfiltration could occur if there is indirect prompt injection.
References

Subscriptions

Microsoft Copilot
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-22T16:02:08.057Z

Reserved: 2025-11-28T00:00:00.000Z

Link: CVE-2025-66389

cve-icon Vulnrichment

Updated: 2026-06-22T16:02:02.785Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T19:30:06Z

Weaknesses
  • CWE-552

    Files or Directories Accessible to External Parties