GitHub Copilot and VS Code YOLO-Mode Remote Code Execution - CVE-2025-53773

Johann Rehberger of Embrace The Red disclosed CVE-2025-53773, a remote code execution flaw in GitHub Copilot and Visual Studio Code driven by indirect prompt injection. Because Copilot could modify project files without user approval, attacker-controlled text could make the agent enable an experimental YOLO mode that disables every confirmation and lets it run shell commands. This advisory covers what was disclosed and how to govern this class of agent self-modification across a fleet.

What happened

CVE-2025-53773 is an indirect prompt injection that escalates to full remote code execution in GitHub Copilot running inside Visual Studio Code. Copilot, acting as an agent, could write to project files without asking the user. Attacker text planted in source code, a web page Copilot read, or a GitHub issue could instruct the agent to add the line "chat.tools.autoApprove": true to the workspace's .vscode/settings.json. That single setting places Copilot into experimental YOLO mode.

In YOLO mode, all user confirmations are disabled. The agent can then execute shell commands, browse the web, and perform privileged actions with no human in the loop, across Windows, macOS, and Linux. Because a compromised machine can write the same injected instructions into other repositories the developer touches, the flaw carries a wormable propagation path rather than affecting a single host. Related vectors in the same research abused .vscode/tasks.json and malicious MCP server injection, all relying on Copilot's ability to change configuration without approval.

Rehberger reported it on June 29, 2025. Microsoft confirmed it was already tracked internally and shipped a fix in the August 2025 Patch Tuesday release, which now requires explicit user approval for configuration changes that affect security settings - closing the silent edit that flipped the agent into auto-approve.

Why this is an agentic-endpoint risk

The attack surface here is not a server or a network path - it is the coding agent itself and the settings file it is allowed to edit. The exploit chains two ordinary agent behaviors: Copilot reads untrusted content (a file, a page, an issue) and Copilot writes project configuration. Neither is malicious alone, but together they let attacker text rewrite the agent's own permission boundary. The .vscode/settings.json flag, the extension that grants Copilot file-write access, and any MCP server it can reach are exactly the artifacts an AI coding agent operates on, and they report to no security tool.

This exposure is hard to see from the controls you already run, because it lives in the AI artifact layer. EDR sees a trusted Code process editing a JSON file in the developer's own workspace; the network sees ordinary TLS traffic; DLP sees nothing at rest in a one-line settings change. Extensions, agents, settings, and MCP servers are part of the eight AI artifact types Anomity tracks per endpoint, adopted bottom-up the same way AI agents and MCP servers became the new shadow IT. The question is not whether one laptop is patched; it is which endpoints run an unpatched Copilot or VS Code build, and which workspaces already carry chat.tools.autoApprove - and you cannot answer that without an inventory of the artifact layer.

How Anomity surfaces and governs it

The August 2025 Patch Tuesday fix closes the specific silent-edit path by requiring approval for security-relevant configuration changes, but the durable control is to treat agent self-modification as untrusted and govern it before it takes effect. Anomity does that in three steps.

First, inventory. Anomity inventories the extensions, agents, and settings on every managed endpoint as part of the eight AI artifact types it tracks, then classifies them. It captures the GitHub Copilot and VS Code build, the workspace .vscode/settings.json metadata - including whether chat.tools.autoApprove is set - the .vscode/tasks.json definitions, and any MCP servers the agent can reach, so you can find unpatched builds and workspaces already flipped into auto-approve. Metadata only: any secrets in scanned files are redacted on the endpoint before anything leaves it.

Second, decide at the hook. On agents that expose a hook - the same pattern as a Claude Code PreToolUse event - Anomity evaluates each tool call against your policy and returns allow, deny, or log before the call runs. A shell command issued by an agent that has just silently enabled YOLO mode can be denied at the boundary, which is exactly the control runtime governance provides while an unpatched build is still being rolled forward. This is the same agent-configuration class of abuse the sibling Claude Code project-file RCE and token exfiltration advisory covered, where repository-supplied settings crossed a trust boundary before the user could intervene.

Third, keep the record. Every decision, and every added, changed, or removed setting, extension, or MCP server, lands in a queryable 90-day audit trail, and decisions route to SIEM, Slack, email, or Jira. When a disclosure like CVE-2025-53773 lands, you can answer which endpoints ran the affected versions, which workspaces had chat.tools.autoApprove written into them, and what those agents were allowed to do afterward - from a record, not a guess. Anomity complements Network, EDR, DLP, and GRC tooling; it covers the artifact layer they were never built to inventory.

You can't govern what you can't see.The Anomity principle

What to check across your fleet

• Inventory every endpoint running GitHub Copilot in Visual Studio Code and record the installed version; flag anything before the August 2025 Patch Tuesday fix for CVE-2025-53773 and upgrade.
• Enumerate .vscode/settings.json across workspaces and surface any that set chat.tools.autoApprove to true, the flag that enables YOLO mode.
• Review .vscode/tasks.json definitions for tasks that run shell commands automatically on folder open, a related injection vector.
• Find every MCP server the agent can reach from a workspace and confirm none can be injected or initialized without review.
• Confirm tool calls from the agent are evaluated at the hook with allow/deny/log, so a shell command issued after a silent auto-approve edit is stopped before it runs.
• Treat agent edits to its own security-relevant settings as a denial-worthy event, not a routine file change, and alert on them.
• Verify every setting, extension, and MCP change is written to a 90-day audit trail and routed to your SIEM.
• Cross-reference against the sibling Claude Code project-file RCE and token exfiltration advisory to find endpoints exposed to more than one agent-configuration abuse path.

CVE-2025-53773 is a reminder that a coding agent allowed to edit its own configuration can be talked into removing its own guardrails: a hidden instruction in a file, a page, or an issue flips Copilot into YOLO mode and turns assistance into remote code execution. Apply the August 2025 Patch Tuesday fix, then inventory the extensions, agents, settings, and MCP servers your endpoints carry and govern the resulting tool calls at the hook. For the full coding-agent attack surface, see the pillar guide on securing AI coding agents and CLIs. To see Anomity govern the agent and CLI layer across your fleet, request early access.