CVE-2026-25931

Name of the Vulnerable Software and Affected Versions vscode-spell-checker versions prior to 4.5.4

Description The vscode-spell-checker extension is susceptible to a workspace-trust bypass that can lead to code execution. The DocumentSettings. determineIsTrusted function incorrectly relies on the cSpell.trustedWorkspace configuration value as the sole indicator of trust. This value defaults to true and is read from the workspace configuration. Consequently, an untrusted workspace can place a malicious .cspell.config.js file, and opening the workspace will cause the extension host to execute attacker-controlled Node.js code with the user’s privileges. The ConfigLoader.setIsTrusted function is involved in this process, allowing the execution of JavaScript/TypeScript configuration files.

Recommendations Versions prior to 4.5.4 should be updated to version 4.5.4 or later.