CVE-2025-47959: 
Visual Studio 2022 vulnerability analysis and mitigation

A remote code execution vulnerability (CVE-2025-47959) was discovered in Microsoft Visual Studio. The vulnerability was disclosed on June 12, 2025, and involves improper neutralization of special elements used in command injection that allows an authorized attacker to execute code over a network (NVD, CVE).

The specific flaw exists within the handling of the devcontainer.json file. When opening a project, the user interface fails to warn the user of unsafe actions. The vulnerability has been assigned a CVSS v3.1 base score of 7.1 (HIGH) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H. The vulnerability is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command) (ZDI, NVD).

An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. The vulnerability requires user interaction to exploit, specifically the target must visit a malicious page or open a malicious file (ZDI).

Microsoft has issued an update to correct this vulnerability as part of their June 2025 Patch Tuesday updates. Users are advised to apply the security update to affected installations of Microsoft Visual Studio (ZDI).

The vulnerability was discovered and reported by Nitesh Surana (@_niteshsurana) and Nelson William Gamazo Sanchez of Trend Micro Research. The disclosure timeline indicates that the vulnerability was reported to Microsoft on February 19, 2025, with a coordinated public release on June 10, 2025 (ZDI).