Improper write permissions on zsh integration script

[amunger]

A remote code execution vulnerability exists in VS Code 1.99.0 and earlier versions where another user within the same group could edit the $ZDOTDIR and have extra code executed in the integrated zshell.

Patches

The fix is available starting with VS Code 1.99.1. The fix (2f2e2c4) prevents this attack by setting the sticky bit and remove group and other permissions to restrict the folder to the user that created it.

Workarounds

Disable shell integration in VS Code by setting "terminal.integrated.shellIntegration.enabled": false or do not open a zshell within VS Code.

References

• The patch for this can be found at 2f2e2c4
• An advisory for this can be found at GHSA-hwrx-jgf2-74hw
• MSRC details for this can be found at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-20570

[gjsjohnmurray]

Disable shell integration in VS Code by setting "terminal.integrated.shellIntegration.enabled": true

Should this actually say false?

[amunger]

thanks! just copied my setting json and forgot to update it.

[patchthecode]

so.. mitigated, but not stopped?
i mean.. the number of people that use terminal zsh especially with ai is astronomical.
to say not open it in a patch note to be lost in time is.. heh..

[amunger]

Bad word choice, updated.

to say not open it in a patch note to be lost in time is.. heh..

I do not know what this means