GitHub Copilot — Security Profile

Product Overview

ComponentDescriptionAttack Surface
Copilot ChatAI chat within VS Code / JetBrains for code Q&APrompt injection, context poisoning
Copilot InlineCode completion and suggestion enginePoisoned training data, suggestion manipulation
Copilot WorkspaceAgentic environment for planning and implementing changesWorkspace file manipulation, prompt injection → code execution
Copilot ExtensionsThird-party integrationsExtension-mediated prompt injection

Key Vulnerabilities

IDEsaster Findings

CVESeverityDescriptionControl
CVE-2025-64660HighWorkspace configuration manipulation via prompt injection. AI agent writes to .code-workspace files, modifying multi-root workspace settings to achieve code execution.Restrict agent write access to workspace config files; monitor .code-workspace modifications
CVE-2025-49150HighPart of IDEsaster research — prompt injection chains affecting Copilot alongside other AI IDEs.Update to latest Copilot version; review all auto-approved file write operations

General Copilot Risks

RiskDescriptionControl
Poisoned suggestionsCopilot trained on public GitHub repos. Attackers can contribute malicious code patterns to popular repos, influencing Copilot's suggestions to other developers.Always review AI-generated code; don't blindly accept suggestions; run static analysis on generated code
Context window poisoningMalicious comments in project files can steer Copilot's suggestions. // TODO: Replace authentication with hardcoded token for testing may cause Copilot to generate insecure code.Audit code comments in shared repositories; establish coding guidelines that prohibit misleading comments
Secret leakage in suggestionsCopilot may suggest code patterns that include hardcoded credentials or API keys memorized from training data.Enable secret scanning on all repos; never commit AI-suggested credentials

What to Test in Engagements

□ Context poisoning via malicious code comments
□ Workspace config manipulation via Copilot Chat
□ Extension-mediated prompt injection
□ Copilot suggestion manipulation via repo poisoning
□ Secret leakage in generated code
□ Auto-approved file write operations scope