Cyber Resilience

CVE-2025-24042

HighLPE

Published: 11 February 2025

Published
11 February 2025
Modified
02 July 2025
KEV Added
Patch
CVSS Score v3.1 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0011 28.1th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-24042 is a high-severity Improper Access Control (CWE-284) vulnerability in Microsoft Visual Studio Code. Its CVSS base score is 7.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability, identified as CVE-2025-24042, affects the JavaScript Debug extension for Visual Studio Code. Published on 2025-02-11, it carries a CVSS v3.1 score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H), stemming from CWE-284 (Improper Access Control). The flaw enables privilege escalation within the extension's debugging functionality.

A local attacker with low privileges can exploit this by convincing a user to interact with a malicious debug configuration or file in Visual Studio Code, such as during a debugging session. Exploitation grants elevated privileges, allowing high-impact unauthorized access to confidential data, modification of system integrity, and disruption of availability.

The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24042 details the issue and urges updating the JS Debug extension to the patched version through the Visual Studio Code marketplace.

EU & UK References

Vulnerability details

Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE explicitly describes an elevation of privilege vulnerability (CWE-284) in the JS Debug extension that allows a local attacker to gain elevated privileges via malicious debug configuration, directly mapping to Exploitation for Privilege Escalation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-41613Same product: Microsoft Visual Studio Code
CVE-2025-26631Same product: Microsoft Visual Studio Code
CVE-2026-42823Same vendor: Microsoft
CVE-2026-41611Same product: Microsoft Visual Studio Code
CVE-2025-24076Same vendor: Microsoft
CVE-2025-21359Same vendor: Microsoft
CVE-2026-23660Same vendor: Microsoft
CVE-2026-24290Same vendor: Microsoft
CVE-2026-40420Same vendor: Microsoft
CVE-2026-20929Same vendor: Microsoft

Affected Assets

microsoft
visual studio code
≤ 1.97.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved access authorizations to directly counter the improper access control enabling privilege escalation in the JS Debug extension.

prevent

Implements least privilege to restrict low-privilege attackers from escalating access during debugging sessions via malicious configurations.

prevent

Remediates the specific elevation of privilege flaw by requiring updates to the patched JS Debug extension version.

References