CVE-2021-30124
Description
The unofficial vscode-phpmd (aka PHP Mess Detector) extension before 1.3.0 for Visual Studio Code allows remote attackers to execute arbitrary code via a crafted phpmd.command value in a workspace folder.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- PHP Mess Detector/vscode-phpmddescription
- Range: <1.3.0
Patches
Vulnerability mechanics
Root cause
"The extension accepted the phpmd.command configuration from workspace-level settings, allowing an attacker to inject arbitrary commands via a malicious workspace folder."
Attack vector
An attacker crafts a malicious workspace folder containing a `.vscode/settings.json` file that sets `phpmd.command` to an arbitrary command string. When the victim opens this folder in Visual Studio Code with the vulnerable extension installed, the extension reads the workspace setting and executes the attacker-controlled command, achieving remote code execution on the victim's machine. [ref_id=1]
Affected code
The vulnerability exists in the `phpmd.command` configuration setting of the vscode-phpmd extension before version 1.3.0. The extension allowed this setting to be controlled through workspace-level settings, which an attacker could supply in a malicious workspace folder.
What the fix does
The patch disables the `phpmd.command` setting at the workspace level, restricting it to user or machine settings only. This prevents an attacker from injecting a malicious command via a workspace folder's settings. The commit message explicitly states that before version 1.3.0 it was possible to set `phpmd.command` through workspace settings, opening possibilities for a remote code execution attack. [ref_id=1]
Preconditions
- configVictim has the vscode-phpmd extension (version < 1.3.0) installed in Visual Studio Code
- inputVictim opens a workspace folder containing a malicious .vscode/settings.json
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3- github.com/sandhje/vscode-phpmd/commit/c462bf5c6f0160d0199855d5f8ed76be8d9beac0mitrex_refsource_MISC
- marketplace.visualstudio.com/itemsmitrex_refsource_MISC
- vuln.ryotak.me/advisories/25mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.