CVE-2019-16765

Description

If an attacker can get a user to open a specially prepared directory tree as a workspace in Visual Studio Code with the CodeQL extension active, arbitrary code of the attacker's choosing may be executed on the user's behalf. This is fixed in version 1.0.1 of the extension. Users should upgrade to this version using Visual Studio Code Marketplace's upgrade mechanism. After upgrading, the codeQL.cli.executablePath setting can only be set in the per-user settings, and not in the per-workspace settings. More information about VS Code settings can be found here.

Remediation

Workaround:

  • Manually review the workspace settings for any workspace obtained from an external source. These settings can be found in the .vscode/settings.json file within the workspace directory. Remove the configuration values for the codeQL.cli.executablePath, codeQL.cli.owner, and codeQL.cli.repository settings for the workspace. If you wish to use the codeQL.cli.executablePath setting to indicate the location of a CodeQL CLI executable, then move this to your user settings, and check that you trust the configured path. You can access the user settings by choosing Preferences: Open User Settings from the Command Palette.

Category

7.4
CVSS
Severity: High
CVSS 3.1 •
CVSS 2.0 •
EPSS 0.84% Top 30%
Third-Party Advisory github.com Third-Party Advisory github.com
Affected: github vscode-codeql
Published at:
Updated at:

References

Link Tags
https://github.com/github/vscode-codeql/security/advisories/GHSA-wf4x-8mpj-r42q third party advisory
https://github.com/github/vscode-codeql/pull/174 third party advisory patch
https://github.com/github/vscode-codeql/blob/v1.0.1/CHANGELOG.md release notes

Frequently Asked Questions

What is the severity of CVE-2019-16765?
CVE-2019-16765 has been scored as a high severity vulnerability.
How to fix CVE-2019-16765?
As a workaround for remediating CVE-2019-16765: Manually review the workspace settings for any workspace obtained from an external source. These settings can be found in the .vscode/settings.json file within the workspace directory. Remove the configuration values for the codeQL.cli.executablePath, codeQL.cli.owner, and codeQL.cli.repository settings for the workspace. If you wish to use the codeQL.cli.executablePath setting to indicate the location of a CodeQL CLI executable, then move this to your user settings, and check that you trust the configured path. You can access the user settings by choosing Preferences: Open User Settings from the Command Palette.
Is CVE-2019-16765 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2019-16765 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2019-16765?
CVE-2019-16765 affects github vscode-codeql.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.