CVE-2023-33144
Published: 14 June 2023
Summary
CVE-2023-33144 is a medium-severity Relative Path Traversal (CWE-23) vulnerability in Microsoft Visual Studio Code. Its CVSS base score is 6.6 (Medium).
Operationally, ranked in the top 27.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
CVE-2023-33144 is a spoofing vulnerability affecting Visual Studio Code, assigned CWE-23 for relative path traversal. It carries a CVSS 3.1 base score of 6.6 reflecting local attack vector, low attack complexity, low privileges required, and required user interaction, resulting in high impact to confidentiality and integrity with no availability effect.
An attacker with local access and limited privileges can exploit the flaw by presenting a crafted resource that the victim is tricked into opening or interacting with inside Visual Studio Code, enabling unauthorized disclosure or modification of files on the system.
Microsoft has published guidance for the issue in its Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-33144.
The EPSS score for this CVE rose materially from a low baseline to a peak of 0.0762 on 2025-01-22 before receding to its current value of 0.0072, indicating a period of increased exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-37329
Vulnerability details
Visual Studio Code Spoofing Vulnerability
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.