Impact

This is a Remote Code Execution Vulnerability that affects all versions of Prisma VS Code extension older than 2.20.0.

If a custom binary path for the Prisma format binary is set in VS Code Settings, for example by downloading a project that has a .vscode/settings.json file that sets a value for "prismaFmtBinPath".

That custom binary is executed when auto-formatting is triggered by VS Code or when validation checks are triggered after each keypress on a *.prisma file.

Patches

Fixed in

• 2.20.0 https://marketplace.visualstudio.com/items?itemName=Prisma.prisma
• 2.20.0 https://open-vsx.org/extension/Prisma/prisma
• 20.0.27 https://marketplace.visualstudio.com/items?itemName=Prisma.prisma-insider
• 20.0.27 https://open-vsx.org/extension/Prisma/prisma-insider

Workarounds

Users can

• edit or delete the .vscode/settings.json file
• check if the binary is malicious and delete it

References

Similar CVE: Visual Studio Code ESLint Extension Remote Code Execution Vulnerability https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-27081

Pull Request for Prisma VS Code extension closing this vulnerability #750

Acknowledgements

• RyotaK - https://github.com/Ry0taK - https://twitter.com/ryotkak

For more information

If you have any questions or comments about this advisory:

• Open an issue in the Prisma language-tools repository
• Email us at security@prisma.io