A remote code execution vulnerability exists in VS Code 1.94.0 and earlier versions in the elevated save flow.
Patches
The fix is available starting with VS Code 1.94.1. The fix (28000df) mitigates this attack by only allowing elevated save in trusted workspaces and hardening how arguments are passed around.
Workarounds
A way to avoid the vulnerability without updating is to not use the elevated save flow.
References
A remote code execution vulnerability exists in VS Code 1.94.0 and earlier versions in the elevated save flow.
Patches
The fix is available starting with VS Code 1.94.1. The fix (28000df) mitigates this attack by only allowing elevated save in trusted workspaces and hardening how arguments are passed around.
Workarounds
A way to avoid the vulnerability without updating is to not use the elevated save flow.
References