GitHub Copilot: Remote Code Execution via Prompt Injection (CVE-2025-53773)

Summary

This post is about an important, but also scary, prompt injection discovery that leads to full system compromise of the developer’s machine in GitHub Copilot and VS Code. It is achieved by placing Copilot into YOLO mode by modifying the project’s settings.json file. As described a few days ago with Amp, a vulnerability pattern in agents that might be overlooked is that if an agent can write to files and modify its own configuration or update security-relevant settings it can lead to remote code execution. This is not uncommon and is an area to always look for when performing a security review. Background Research When looking at VS Code and GitHub Copilot Agent Mode I noticed a strange behavior… it can create and write to files in the workspace without user approval. The edits are immediately persistent, they are not in-memory as a diff to review. The modifications are written to disk right away. It’s one of these things that as a red teamer you know is probably not good… so I was looking if this could be used to escalate privileges and execute code. YOLO Mode So, next I researched features in VS Code that depend on settings that are within the project/workspace folder, and quickly found an interesting one. It turns out that in the .vscode/settings.json file one can add the following line: "chat.tools.autoApprove": true This will put GitHub Copilot in YOLO mode. And it disables all user confirmations, and we can run shell commands, browse the web, and more! What is interesting is that this is an experimental feature, but it is still present by default. I did not download a special version or set my VS Code overall into an experimental mode. Furthermore, it works on Windows, macOS and also Linux. Exploit Chain Explained The proof-of-concept exploit chain to hijack Copilot and escalate privileges is as follows: The attack starts with a prompt injection planted in a source code file, web page, GitHub issue, tool call response, or other content… The payload can also use...