Server-Side Request Forgery and Uncontrolled Resource Consumption in LemMinX

The vulnerability allows an attacker to induce the vscode-xml extension to download a large file from an arbitrary URL. This can lead to a denial-of-service condition by consuming excessive network bandwidth and server resources. More concerningly, the SSRF aspect allows an attacker to potentially access internal resources that the VS Code instance has access to, bypassing security controls. This could involve reading sensitive configuration files, accessing internal APIs, or even interacting with other services within the network. The impact is amplified if the VS Code instance is running with elevated privileges or has access to sensitive data. While no direct exploitation has been publicly reported, the SSRF component presents a significant risk due to its potential for data exfiltration and lateral movement.

Developers and organizations using the vscode-xml extension in Visual Studio Code are at risk. This includes teams working with XML-based projects, particularly those who rely on schema validation or automatic schema downloads. Shared hosting environments where multiple users share a single VS Code instance are also at increased risk, as a compromised user could potentially exploit the vulnerability to impact other users.

• windows / supply-chain: Monitor VS Code processes (code.exe) for unusual network connections using Get-Process | Where-Object {$_.ProcessName -eq 'code'}. Check for suspicious entries in the VS Code extension directory (typically %USERPROFILE%/.vscode/extensions) for modified or unexpected files.

Get-Process | Where-Object {$_.ProcessName -eq 'code'} | Select-Object Name, Id, CPU, WorkingSet

• linux / server: Monitor VS Code processes (code) using ps aux | grep code. Examine system logs (e.g., /var/log/syslog) for errors related to schema downloads or network connections originating from the VS Code process.

ps aux | grep code

• generic web: Monitor VS Code instances for outbound HTTP requests to unusual or unexpected domains. Examine VS Code's network traffic using tools like Wireshark or tcpdump for suspicious patterns.

1. 2022-02-19Disclosure

   disclosure

2. 2022-02-19Patch

   patch

1. Réservé2022-02-17
2. Publiée2022-02-19
3. Modifiée2023-11-08
4. EPSS mis à jour2026-04-02

The primary mitigation for CVE-2022-0671 is to immediately upgrade the vscode-xml extension to version 0.19.0 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the schema download functionality within the extension's settings. Network-level controls, such as a Web Application Firewall (WAF), can be configured to block requests to suspicious URLs or limit the size of downloaded files. Monitor VS Code instances for unusual network activity or resource consumption. After upgrading, confirm the fix by attempting to trigger a schema download from a known-safe URL and verifying that the download completes without errors or excessive resource usage.