{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-64671", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2025-11-06T23:40:37.277Z", "datePublished": "2025-12-09T17:56:06.407Z", "dateUpdated": "2026-04-16T14:18:59.084Z"}, "containers": {"cna": {"title": "GitHub Copilot for Jetbrains Remote Code Execution Vulnerability", "datePublic": "2025-12-09T08:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:gihub_copilot_plugin_for_jetbrains_ides:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "1.5.60-243"}]}]}], "affected": [{"vendor": "Microsoft", "product": "GitHub Copilot Plugin for JetBrains IDEs", "versions": [{"version": "1.0.0", "lessThan": "1.5.60-243", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to execute code locally.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "lang": "en-US", "type": "CWE", "cweId": "CWE-77"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-16T14:18:59.084Z"}, "references": [{"name": "GitHub Copilot for Jetbrains Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64671"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.4, "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64671", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-10T04:57:01.489097Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-26T16:21:09.492Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-64671", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-10T04:57:01.489097Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T17:01:57.986Z"}}], "cna": {"title": "GitHub Copilot for Jetbrains Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.4, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "GitHub Copilot Plugin for JetBrains IDEs", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "1.5.60-243", "versionType": "custom"}]}], "datePublic": "2025-12-09T08:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64671", "name": "GitHub Copilot for Jetbrains Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to execute code locally."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:gihub_copilot_plugin_for_jetbrains_ides:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "1.5.60-243", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-16T14:18:59.084Z"}}}, "cveMetadata": {"cveId": "CVE-2025-64671", "state": "PUBLISHED", "dateUpdated": "2026-04-16T14:18:59.084Z", "dateReserved": "2025-11-06T23:40:37.277Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2025-12-09T17:56:06.407Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:github_copilot:*:*:*:*:*:jetbrains:*:*", "matchCriteriaId": "1128B69C-7FF6-4180-A827-6A316FB637AF", "versionEndExcluding": "1.5.60-243", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in a command ('command injection') in Copilot allows an unauthorized attacker to execute code locally."}], "id": "CVE-2025-64671", "lastModified": "2025-12-12T13:57:32.803", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 8.4, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.5, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 7.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-12-09T18:16:06.417", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-64671"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}], "source": "secure@microsoft.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T15:41:43.564802+00:00", "value": {"mitigation_remediation": ["Apply the latest update for the GitHub Copilot Plugin available from Microsoft to eliminate the command injection flaw.", "If an update is not immediately available, temporarily disable the GitHub Copilot plugin in all JetBrains IDEs to prevent the vulnerability from being exploited.", "Monitor Microsoft\u2019s security portal and JetBrains release notes for further advisories and patch release announcements."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is the Microsoft GitHub Copilot Plugin for JetBrains IDEs. No specific versions are listed in the advisory, so any installation of the plugin, regardless of patch level, may be vulnerable unless a later update explicitly addresses this issue.", "description_and_impact": "Improper neutralization of special elements used in a command, commonly known as command injection, is present in the GitHub Copilot plugin for JetBrains IDEs. This flaw allows an unauthorized attacker to construct input that is not properly sanitized and thereby cause the plugin to execute arbitrary shell commands on the host machine. The vulnerability is categorized as CWE\u201177 and results in both confidentiality and integrity violations, permitting the attacker to run any code or scripts with the privileges of the user running the IDE.", "risk_and_exploitability": "The CVSS score of 8.4 classifies this as a high\u2011severity vulnerability. EPSS indicates a very low probability of exploitation, yet the flaw remains unlisted in KEV, meaning no public exploitation has been reported. The likely attack vector is local; an attacker who can supply or influence input to the plugin\u2014such as a malicious user or compromised extension\u2014can trigger the command injection, leading to local code execution. Even though exploitation is not widespread, the potential impact is severe, justifying prompt remediation."}}}}, "created": "2026-04-20T15:45:10.383591+00:00", "updated": "2026-04-20T15:45:10.383601+00:00", "vendors": []}