EXECUTIVE SUMMARY:
A vulnerability has been discovered in the code-server project, which allows users to run VS Code in a browser. The issue, tracked as CVE-2025-47269 with a CVSS score of 8.3, stems from improper validation of proxy requests, enabling attackers to craft malicious URLs that can steal session tokens. When users click on a manipulated link, their session cookies are sent to the attacker's server, allowing unauthorized access to the code-server instance. This could lead to attackers gaining full control of the server, including reading, modifying, or deleting files, and installing malware. A patch is available, and users are urged to update to latest version to mitigate this risk.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/vs-code-in-the-browser-at-risk-code-server-security-alert/