GitHub Copilot vulnerability raises concerns of full system compromise

A newly disclosed vulnerability, tracked as CVE-2025-53773, has revealed a critical security flaw in GitHub Copilot and Visual Studio, enabling attackers to achieve remote code execution (RCE) on a developer's machine through a sophisticated "prompt injection" technique. The discovery highlights a growing and unsettling trend in AI-powered tools where the assistant itself can be weaponized against the user.

The vulnerability was discovered and reported via the GitHub Bug Bounty program. The exploit works by manipulating the GitHub Copilot into modifying its own configuration settings.

Here's how the attack chain unfolds:

Malicious Prompt Injection: The attack begins with an attacker embedding a malicious instruction, or "prompt injection," into a source code file, a web page, or even a GitHub issue. These instructions can even be hidden using invisible Unicode characters to evade detection.

AI as an Accomplice: When a developer using a vulnerable version of GitHub Copilot opens the infected file or interacts with the malicious content, the AI assistant processes the hidden instructions.

• Privilege Escalation: The prompt injection tricks Copilot into writing a specific line of code to the developer's .vscode/settings.json file. This line, "chat.tools.autoApprove": true, effectively puts Copilot into "YOLO mode," disabling all user confirmations and allowing the AI to execute shell commands without permission.

• Remote Code Execution: With auto-approval enabled, the attacker's original malicious instructions are now free to execute arbitrary commands on the developer's machine, leading to a full system compromise. This opens the door for attackers to install malware, steal data, or even propagate the malicious code to other projects.

A growing concern for the software supply chain

This is not the first time security researchers have raised concerns about the security of AI-generated code. The CVE-2025-53773 vulnerability, however, represents a significant escalation, as it allows for direct control and remote code execution.

This vulnerability affects a wide range of users, including anyone who uses the GitHub Copilot extension within Visual Studio Code on Windows, macOS, or Linux. The potential for a "supply chain attack" is particularly high, as malicious instructions could be embedded in open-source projects, and a single interaction by a developer could lead to a widespread compromise.

Microsoft's response

Microsoft, which assigned the CVE, acknowledged the issue and has already released a fix as part of its August 2025 Patch Tuesday. Developers are urged to update their GitHub Copilot and Visual Studio installations immediately to mitigate the risk.