What happened
GitHub Copilot 1.372.0 allows filesystem access outside the workspace folder without user approval via a file-handler URI parameter passed to fetch_webpage. Combined with indirect prompt injection from a malicious document or webpage, this enables exfiltration of files outside the workspace boundary with no user interaction beyond the initial document processing. CVSS 7.5 High; published 2026-06-22. Original research published at blindcyber.com.
Why it matters
GitHub Copilot is embedded in VS Code and JetBrains IDEs with hundreds of millions of installations. This flaw creates a concrete path from prompt injection (e.g., a malicious comment in code, a crafted README, or a webpage loaded via Copilot) directly to arbitrary file read outside the workspace — SSH keys, .env files, cloud credential files — without any user approval dialog. It demonstrates that AI coding assistants can be weaponised as data exfiltration tools through their tool-call surfaces.
Attack vector
Indirect prompt injection from untrusted content processed by Copilot (document, code comment, web page) injects a file-handler URI into the fetch_webpage tool call, causing Copilot to read and return files outside the workspace folder.
Affected systems
GitHub Copilot 1.372.0
Mitigation
Update GitHub Copilot to a version beyond 1.372.0. NVD: https://nvd.nist.gov/vuln/detail/CVE-2025-66389; Original research: https://blindcyber.com/2025/10/28/copilot-fun/