CVE-2025-24042
Published: 11 February 2025
Summary
CVE-2025-24042 is a high-severity Improper Access Control (CWE-284) vulnerability in Microsoft Visual Studio Code. Its CVSS base score is 7.3 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability, identified as CVE-2025-24042, affects the JavaScript Debug extension for Visual Studio Code. Published on 2025-02-11, it carries a CVSS v3.1 score of 7.3 (AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H), stemming from CWE-284 (Improper Access Control). The flaw enables privilege escalation within the extension's debugging functionality.
A local attacker with low privileges can exploit this by convincing a user to interact with a malicious debug configuration or file in Visual Studio Code, such as during a debugging session. Exploitation grants elevated privileges, allowing high-impact unauthorized access to confidential data, modification of system integrity, and disruption of availability.
The Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-24042 details the issue and urges updating the JS Debug extension to the patched version through the Visual Studio Code marketplace.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-3606
Vulnerability details
Visual Studio Code JS Debug Extension Elevation of Privilege Vulnerability
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE explicitly describes an elevation of privilege vulnerability (CWE-284) in the JS Debug extension that allows a local attacker to gain elevated privileges via malicious debug configuration, directly mapping to Exploitation for Privilege Escalation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces approved access authorizations to directly counter the improper access control enabling privilege escalation in the JS Debug extension.
Implements least privilege to restrict low-privilege attackers from escalating access during debugging sessions via malicious configurations.
Remediates the specific elevation of privilege flaw by requiring updates to the patched JS Debug extension version.