GitHub Copilot CVE-2025-53773 vulnerability

A critical vulnerability in GitHub Copilot and Visual Studio Code, tracked as CVE-2025-53773, allows attackers to achieve remote code execution through prompt injection attacks, potentially compromising developers' machines.

This flaw exploits GitHub Copilot’s ability to modify project configuration files, particularly the .vscode/settings.json file, enabling attackers to bypass security controls and execute arbitrary commands.

GitHub Copilot CVE-2025-53773 vulnerabilityGitHub Copilot CVE-2025-53773 vulnerability

The vulnerability arises from Copilot's capability to create and write files in the workspace without explicit user approval, making changes immediately persistent to disk.

By manipulating the .vscode/settings.json file, attackers can enable “YOLO mode” by adding the line “chat.tools.autoApprove”: true. This feature, present by default in standard VS Code installations, disables user confirmations and grants the AI agent unrestricted access to execute shell commands across Windows, macOS, and Linux systems.

GitHub Copilot CVE-2025-53773 vulnerabilityGitHub Copilot CVE-2025-53773 vulnerability

The attack utilizes prompt injection techniques, embedding malicious instructions in source code files, web pages, or GitHub issues. These instructions can include invisible Unicode characters to evade detection. Once processed, Copilot modifies the settings file to enable auto-approval mode, escalating privileges without user consent.