Description
vscode-spell-checker is a basic spell checker that works well with code and documents. Prior to v4.5.4, DocumentSettings._determineIsTrusted treats the configuration value cSpell.trustedWorkspace as the authoritative trust flag. The value defaults to true (package.json) and is read from workspace configuration each time settings are fetched. The code coerces any truthy value to true and forwards it to ConfigLoader.setIsTrusted , which in turn allows JavaScript/TypeScript configuration files ( .cspell.config.js/.mjs/.ts , etc.) to be located and executed. Because no VS Code workspace-trust state is consulted, an untrusted workspace can keep the flag true and place a malicious .cspell.config.js ; opening the workspace causes the extension host to execute attacker-controlled Node.js code with the user’s privileges. This vulnerability is fixed in v4.5.4.
Published: 2026-02-09
Score: 7.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch Immediately
AI Analysis

Impact

A misinterpretation of the workspace trust flag in vscode‑spell‑checker allows an attacker to place a malicious .cspell.config.js in a workspace that is then loaded automatically when the workspace is opened. The configuration value cSpell.trustedWorkspace is treated as an authoritative trust flag by default, and any truthy value is coerced to true. This bypass lets untrusted workspaces run attacker‑controlled JavaScript/TypeScript code with the user’s privileges, providing an arbitrary code execution vector. The underlying weakness stems from improper trust validation and incorrect configuration handling (CWE‑276, CWE‑807, CWE‑829).

Affected Systems

The affected product is the Streetsidesoftware vscode‑spell‑checker extension for Visual Studio Code. All releases prior to v4.5.4 are vulnerable, including v4.5.0 to v4.5.3 and earlier minor versions. The vulnerability is limited to systems where the extension is installed and a malicious workspace is opened.

Risk and Exploitability

The CVSS score is 7.8, indicating high severity. The EPSS score is below 1%, reflecting a low probability of exploitation in the wild. It is not listed in CISA’s KEV catalog, but due to the local nature of the attack, an attacker can trigger the flaw by creating or modifying a workspace. The primary attack vector is a maliciously crafted workspace opened by an ordinary user; no remote network access is required.

Generated by OpenCVE AI on April 17, 2026 at 21:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update vscode‑spell‑checker to version 4.5.4 or later, the version that removes the trust‑bypass flaw.
  • If an immediate update is unavailable, configure the extension to disable the trustedWorkspace flag or remove cSpell.trustedWorkspace from the workspace settings, ensuring the extension treats the workspace as untrusted and refuses to load user‑supplied .cspell.config.js files.
  • As an additional safeguard, restrict Node.js execution by the extension by applying VS Code policies that block arbitrary JavaScript execution or by disabling the extension in untrusted workspaces.

Generated by OpenCVE AI on April 17, 2026 at 21:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 10 Feb 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Streetsidesoftware
Streetsidesoftware vscode-spell-checker
Vendors & Products Streetsidesoftware
Streetsidesoftware vscode-spell-checker

Mon, 09 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description vscode-spell-checker is a basic spell checker that works well with code and documents. Prior to v4.5.4, DocumentSettings._determineIsTrusted treats the configuration value cSpell.trustedWorkspace as the authoritative trust flag. The value defaults to true (package.json) and is read from workspace configuration each time settings are fetched. The code coerces any truthy value to true and forwards it to ConfigLoader.setIsTrusted , which in turn allows JavaScript/TypeScript configuration files ( .cspell.config.js/.mjs/.ts , etc.) to be located and executed. Because no VS Code workspace-trust state is consulted, an untrusted workspace can keep the flag true and place a malicious .cspell.config.js ; opening the workspace causes the extension host to execute attacker-controlled Node.js code with the user’s privileges. This vulnerability is fixed in v4.5.4.
Title vscode-spell-checker has a workspace-trust bypass Code Execution
Weaknesses CWE-276
CWE-807
CWE-829
References
Metrics cvssV3_1

{'score': 7.8, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

Streetsidesoftware Vscode-spell-checker
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T16:54:46.762Z

Reserved: 2026-02-09T16:22:17.786Z

Link: CVE-2026-25931

cve-icon Vulnrichment

Updated: 2026-02-10T16:54:18.209Z

cve-icon NVD

Status : Deferred

Published: 2026-02-09T23:16:05.753

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-25931

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T21:15:27Z

Weaknesses