CVE-2025-53773

Published Aug 12, 2025

Last updated 7 months ago

CVSS high 7.8
GitHub Copilot
API

Overview

Description
Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute code locally.
Source
secure@microsoft.com
NVD status
Analyzed
Products
visual_studio_2022

Risk scores

CVSS 3.1

Type
Secondary
Base score
7.8
Impact score
5.9
Exploitability score
1.8
Vector string
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

secure@microsoft.com
CWE-77

Social media

Hype score
Not currently trending

  1. Sec-Context: comprehensive AI code anti-patterns for LLMs — breadth (~65K tokens) and depth (~100K tokens) references. Top risks: dependency squatting, XSS, hardcoded secrets. #XSS #LLM #CVE-2025-53773 https://t.co/uExud2AxXG

    @hasamba

    14 Mar 2026

    142 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  2. In 2026, prompt injection holds that same position for AI applications. A GitHub Copilot vulnerability (CVE-2025-53773) allowed an attacker to achieve full remote code execution by embedding malicious instructions in a README file. Read full article here. https://t.co/qaOZWMiK9J

    @KuSecureLayer

    10 Mar 2026

    113 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. AI Exploitation Techniques AI exploitation techniques have evolved from theoretical research to weaponized attacks against production systems. GitHub Copilot suffered CVE-2025-53773 (CVSS 9.6), enabling remote code execution through prompt injection. Microsoft patched a https://

    @xhackio

    28 Feb 2026

    151 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  4. I bypassed CVE-2025-53773. The 𝗥𝗖𝗘 previously reported in GitHub's 𝗖𝗼𝗽𝗶𝗹𝗼𝘁. Microsoft released the fix recently (CVE-2025-64660) - update! Less than 10 days for IDEsaster. Are you ready? Follow so you don't miss it. #aisecurity #idesaster https://

    @Ari_MaccariTA

    27 Nov 2025

    48 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. GitHub Copilot: プロンプトインジェクションによるリモートコード実行 (CVE-2025-53773) GitHub Copilot: Remote Code Execution via Prompt Injection (CVE-2025-53773) https://t.co/F35hMD4pBj 2025-10-13 05:00:10 +0900

    @hackernewsj

    12 Oct 2025

    33 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. GitHub Copilot: Remote Code Execution via Prompt Injection (CVE-2025-53773) · Embrace The Red https://t.co/BmFKYuDYBO

    @ProjectMictlan

    12 Oct 2025

    0 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. From jailbreaks to prompt injection, attackers are exploiting LLMs in ways traditional security misses. This quick, 30 minute monthly webinar series from @pangeacyber Labs and @MrJoeyMelo covers real-world exploits like Scamlexity and GitHub Copilot RCE (CVE-2025-53773), demos of

    @pangeacyber

    3 Sept 2025

    155 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Remote Code Execution in GitHub Copilot (CVE-2025-53773) A prompt injection exploit can overwrite the Copilot config file, force it into "YOLO mode" and grant immediate RCE - completely bypassing user approvals.

    @luminousmen

    3 Sept 2025

    92 Impressions

    0 Retweets

    3 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  9. GitHub Copilot の RCE 脆弱性 CVE-2025-53773 が FIX:Visual Studio に生じる YOLO モードとは? https://t.co/9LavMnyeCW GitHub Copilot が、ユーザーの承認を得ることなく、コンフィグ・ファイルを変更できるという脆弱性が発見さ

    @iototsecnews

    27 Aug 2025

    67 Impressions

    2 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Part III: CVE-2025-53773 - Visual Studio & Copilot – Wormable Command Execution via Prompt Injectionhttps://www.persistent-security.net/post/part-iii-vscode-copilot-wormable-command-execution-via-prompt-injection

    @Dinosn

    18 Aug 2025

    3664 Impressions

    11 Retweets

    26 Likes

    16 Bookmarks

    0 Replies

    0 Quotes

  11. #MLSecOps Prompt Injection Attacks Part 1: Prompt Injection - Exploiting LLM Instruction Confusion - https://t.co/EFQr0YH7Lv Part 2: Wormable Prompt Injections - Self-Replicating Exploits in AI - https://t.co/M5ZxrGhoIM Part 3: CVE-2025-53773 - Visual Studio & Copilot - Worma

    @ksg93rd

    17 Aug 2025

    423 Impressions

    0 Retweets

    9 Likes

    9 Bookmarks

    0 Replies

    0 Quotes

  12. GitHub Copilot: Remote Code Execution via Prompt Injection (CVE-2025-53773) · Embrace The Red https://t.co/9UMd0WL504

    @JoshuaOpolko

    16 Aug 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. GitHub Copilot: Remote Code Execution via Prompt Injection (CVE-2025-53773) https://t.co/ejBuxoYz2h

    @HackingTeam777

    15 Aug 2025

    688 Impressions

    1 Retweet

    15 Likes

    5 Bookmarks

    0 Replies

    0 Quotes

  14. 「GitHub Copilotに潜むリモートコード実行脆弱性」──プロンプトインジェクションによるRCE脆弱性「CVE-2025-53773」が発見。YOLOモードを悪用し開発者端末を完全制御可能。AI開発ツールのセキュリティリスク。要

    @t3_corp

    15 Aug 2025

    21 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. 🚨 Falha crítica no GitHub Copilot (CVE-2025-53773) permitia que hackers usassem prompt injection para ativar o “YOLO mode” e executar comandos sem autorização, comprometendo Windows, macOS e Linux. 👉 https://t.co/Zuj1WHCOiL https://t.co/utOoYZa3Pa

    @TechStartXYZ

    13 Aug 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  16. GitHub Copilotに致命的なセキュリティ脆弱性が公開された(CVE-2025-53773)。洗練されたプロンプトインジェクションテクニックによってリモートでコードを実行し、システムを完全に侵害する可能性がある。 これは

    @yousukezan

    13 Aug 2025

    10033 Impressions

    30 Retweets

    68 Likes

    47 Bookmarks

    0 Replies

    1 Quote

  17. GitHub Copilotにプロンプトインジェクションによる遠隔コード実行の脆弱性。8月のMS月例パッチで緊急(Critical)扱いで修正。CVE-2025-53773は間接プロンプトインジェクションにより、設定ファイルでYOLOモード(ユー

    @__kokumoto

    13 Aug 2025

    2842 Impressions

    4 Retweets

    13 Likes

    1 Bookmark

    0 Replies

    1 Quote

  18. 【AIツールセキュリティ】GitHub CopilotにCVE-2025-53773として追跡される重大な脆弱性が発見され、プロンプトインジェクションを通じてリモートコード実行が可能となることが判明した。

    @nakajimeeee

    13 Aug 2025

    805 Impressions

    0 Retweets

    11 Likes

    9 Bookmarks

    0 Replies

    0 Quotes

  19. Github Copilot Remote Code Execution CVE-2025-53773 via prompt injection https://t.co/GdPzOiZB2x

    @0xJin

    13 Aug 2025

    1568 Impressions

    1 Retweet

    21 Likes

    4 Bookmarks

    1 Reply

    0 Quotes

  20. 💥 Remote Code Execution in GitHub Copilot (CVE-2025-53773) 👉 Prompt injection exploit writes to Copilot config file and puts it into YOLO mode, then we get immediate RCE 🔥 Bypasses all user approvals 🛡️ Patch is out today. Update before someone else does it for

    @wunderwuzzi23

    12 Aug 2025

    69447 Impressions

    134 Retweets

    667 Likes

    379 Bookmarks

    9 Replies

    11 Quotes

  21. CVE-2025-53773 Improper neutralization of special elements used in a command ('command injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to execute cod… https://t.co/I1zKyzufyq

    @CVEnew

    12 Aug 2025

    317 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.10.3, an unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled. This issue has been patched in version 3000.10.3.CVE-2026-28789
  2. Incorrect Authorization vulnerability in hexpm hexpm/hexpm ('Elixir.HexpmWeb.API.OAuthController' module) allows Privilege Escalation. An API key created with read-only permissions (domain: "api", resource: "read") can be escalated to full write access under specific conditions. When exchanging a read-only API key via the OAuth client_credentials grant, the resource qualifier is ignored. The resulting JWT receives the broad "api" scope instead of the expected "api:read" scope. This token is therefore treated as having full API access. If an attacker is able to obtain a victim's read-only API key and a valid 2FA (TOTP) code for the victim account, they can use the incorrectly scoped JWT to create a new full-access API key with unrestricted API permissions that does not expire by default and can perform write operations such as publishing, retiring, or modifying packages. This vulnerability is associated with program files lib/hexpm_web/controllers/api/oauth_controller.ex and program routines 'Elixir.HexpmWeb.API.OAuthController':validate_scopes_against_key/2. This issue affects hexpm: from 71829cb6f6559bcceb1ef4e43a2fb8cdd3af654b before 71c127afebb7ed7cc637eb231b98feb802d62999.CVE-2026-21621
  3. pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 contain an authentication bypass vulnerability in JwtAuthenticator when processing encrypted JWTs that allows remote attackers to forge authentication tokens. Attackers who possess the server's RSA public key can create a JWE-wrapped PlainJWT with arbitrary subject and role claims, bypassing signature verification to authenticate as any user including administrators.CVE-2026-29000
  4. Cisco Catalyst SD-WAN Controller and Manager Authentication Bypass VulnerabilityCVE-2026-20127
  5. An URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header containing a privileged JWT. An authenticated user could redirect these requests to an attacker-controlled domain, exfiltrate the Actions.ManageOrgs JWT, and leverage it for potential remote code execution. Attackers would require access to the target GitHub Enterprise Server instance and the ability to exploit a legacy redirect to an attacker-controlled domain. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19 and was fixed in versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. This vulnerability was reported via the GitHub Bug Bounty program.CVE-2026-0573

References

Sources include official advisories and independent security research.