CVE-2021-28967
Description
The unofficial MATLAB extension before 2.0.1 for Visual Studio Code allows attackers to execute arbitrary code via a crafted workspace because of lint configuration settings.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Visual Studio Code/MATLAB extension for Visual Studio Codedescription
- Range: <2.0.1
Patches
Vulnerability mechanics
Root cause
"Missing scope restriction on configuration properties allowed workspace-level overrides of the linter executable path."
Attack vector
An attacker crafts a malicious Visual Studio Code workspace containing a `.vscode/settings.json` file that sets `matlab.linterConfig` to an arbitrary executable path. When the victim opens the workspace and the MATLAB extension runs linting, the extension invokes the attacker-controlled path, resulting in arbitrary code execution. No authentication is required; the victim only needs to open the malicious workspace.
Affected code
The vulnerability lies in the `matlab.linterConfig`, `matlab.matlabpath`, and `matlab.mlintpath` configuration properties defined in the extension's `package.json`. Before the patch, these settings lacked a `"scope"` constraint, allowing them to be overridden by workspace-level `.vscode/settings.json`.
What the fix does
The patch adds `"scope": "machine"` to the `matlab.linterConfig`, `matlab.matlabpath`, and `matlab.mlintpath` configuration properties, and `"scope": "window"` to the remaining lint-related settings. This restricts these settings to machine-level or window-level scope, preventing a malicious workspace from overriding them via `.vscode/settings.json`. Consequently, an attacker can no longer inject an arbitrary linter executable path through the workspace configuration.
Preconditions
- inputVictim must open a malicious workspace in Visual Studio Code with the MATLAB extension installed.
- configThe malicious workspace must contain a .vscode/settings.json that overrides matlab.linterConfig.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/Gimly/vscode-matlab/commit/fc5dc53397677464099e80629e785a25718bf5ecmitrex_refsource_MISC
- github.com/Gimly/vscode-matlab/releasesmitrex_refsource_MISC
- marketplace.visualstudio.com/items/Gimly81.matlab/changelogmitrex_refsource_MISC
- vuln.ryotak.me/advisories/2mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.