CVE-2025-53773

GitHub Copilot and Visual Studio GitHub Copilot versions prior to 17.14.12 and Visual Studio (affected versions not specified)

Description An improper neutralization of special elements in commands, known as a 'command injection', exists in GitHub Copilot and Visual Studio. This allows an unauthorized attacker to execute code locally. The issue arises from the way the software handles specific elements within commands, potentially enabling malicious code execution through prompt injection. The exploit can overwrite the Copilot configuration file, placing it into a state that allows immediate remote code execution, bypassing user approvals. This vulnerability is considered wormable, meaning it can self-replicate and spread.

Recommendations Update GitHub Copilot to version 17.14.12. Update Visual Studio to the latest available version.