RCE in VS Code Copilot Chat via applyPatchTool TOCTOU

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.hacktron.ai/blog/rce-in-vscode-copilot
• Blog Title: RCE in VS Code Copilot Chat via applyPatchTool TOCTOU
• Suggested Section: AI Security / AI Agent Abuse Local AI CLI Tools and MCP, with a cross-reference from Generic Hacking or Web/AI sections for arbitrary file write to RCE via .git/config poisoning

🎯 Content Summary

The post describes a VS Code Copilot Chat Agent Mode prompt-injection vulnerability that bypasses the user-confirmation protections added after earlier prompt-injection-to-RCE issues. No CVE is mentioned. The vulnerable component is applyPatchTool, used by Copilot to apply model-generated patches. The bug is a Time-of-check to time-of-use, TOCTOU, mismatch: the confirmation phase checks only the files listed in *** Update File: and *** Add File:, while t...

🔧 Technical Details

Prompt-injection-driven agent tool abuse: If an AI coding agent consumes untrusted text from a GitHub issue, ticket, README, comment, or chat message, that text can become executable workflow instructions for the agent. When the agent has access to file-editing tools, an attacker can embed instructions that make the model call those tools with attacker-controlled content. In this case, the issue body instructs Copilot Agent Mode to call apply_patch with a malicious patch after a maintainer clicks Code with Agent Mode.

TOCTOU in patch confirmation systems: A confirmation mechanism is unsafe when the paths checked before execution differ from the paths used during execution. The vulnerable pattern is a parser/checker that approves only source paths such as *** Update File: harmless_file, while the executor also supports a secondary directive such as *** Move to: sensitive_target. The e...

🤖 Agent Actions

Done: updated src/AI/AI-Prompts.md.

What I added:

• New section for VS Code Copilot Chat applyPatch TOCTOU arbitrary write
• Explained the prompt-injection → unchecked *** Move to: → arbitrary overwrite primitive
• Documented the .git/config poisoning + .vscode/settings.json (git.autofetch) → RCE/token exfiltration chain
• Added a short audit checklist for patch-based agent tools
• Added the blog URL to the file’s References

Validation:

• Confirmed only one file changed
• Confirmed single ## References section remains
• Confirmed banner include is still at EOF

Modified file:

• src/AI/AI-Prompts.md

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.hacktron.ai/blog/rce-in-vscode-copilot

Content Categories: Based on the analysis, this content was categorized under "AI Security / AI Agent Abuse Local AI CLI Tools and MCP, with a cross-reference from Generic Hacking or Web/AI sections for arbitrary file write to RCE via .git/config poisoning".

Repository Maintenance:

• MD Files Formatting: 974 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0