Impact
The vscode-java extension mistakenly trusts all Markdown content that appears in JavaDoc hover popups. A malicious Java file can embed specially crafted links that, when a user clicks them, cause Visual Studio Code to execute arbitrary VS Code commands. This flaw can lead to full system compromise when the user is working within a trusted OpenShift Dev Spaces workspace, because the extension runs with the workspace's privileges. The weakness is a form of command injection (CWE‑88).
Affected Systems
The vulnerability is present in Red Hat OpenShift Dev Spaces 3, which bundles the vscode‑java extension. The affected vendor and product are Red Hat’s OpenShift Dev Spaces platform. Versions earlier than the fix are impacted; no other versions are known to be vulnerable.
Risk and Exploitability
The CVSS score of 8.8 classifies this flaw as high severity, indicating that an attacker with access to the JavaDoc hover popup can gain control over the VS Code environment and potentially the host system. The EPSS score is not available, so little can be inferred about current exploitation frequency, but the flaw is considered serious due to the wide use of the extension in development environments. The vulnerability is not listed in the CISA KEV catalog, yet it remains a critical local risk because a malicious Java project can be introduced into a trusted workspace; the only prerequisites for exploitation are the presence of the vscode‑java extension, a malicious Java file, and a user clicking a crafted link. The attacker could achieve remote code execution within the workspace, compromising code, data, and the underlying platform.
OpenCVE Enrichment