CVE-2022-35975 is an OS command injection vulnerability (CWE-78) found in the weaveworks vscode-gitops-tools extension for Visual Studio Code. This extension facilitates the management of Flux objects, which are used in GitOps workflows to automate Kubernetes cluster configurations. The vulnerability arises because the extension improperly neutralizes special elements in user-supplied Flux objects, allowing an attacker to craft malicious Flux manifests that, when processed by the extension, result in arbitrary OS command execution on the host machine running VSCode. The execution context is that of the user running the VSCode instance, meaning the attacker gains the same privileges as the user. This flaw affects versions from 0.7.0 up to and including 0.20.2 of the extension. The vulnerability is particularly critical in environments where multiple users share access to Kubernetes clusters managed via this extension, as a malicious Flux object could be introduced by one user to compromise others. No known exploits have been reported in the wild, and the only effective mitigation is to update the extension to a patched version beyond 0.20.2. Since the extension operates within the developer's environment, exploitation requires that the victim opens or interacts with a malicious Flux object, implying some level of user interaction. However, the impact of successful exploitation is significant, enabling remote code execution on the local machine, potentially leading to data compromise, lateral movement, or further network intrusion.

For European organizations, especially those heavily invested in Kubernetes and GitOps workflows, this vulnerability poses a tangible risk. Organizations using the vscode-gitops-tools extension to manage shared clusters could face unauthorized code execution leading to compromise of developer workstations and potentially the broader network if the attacker escalates privileges or moves laterally. This could result in theft or manipulation of sensitive data, disruption of development pipelines, and erosion of trust in infrastructure automation. Given the extension runs with user-level privileges, the attacker’s ability to cause damage depends on the user's permissions, but many development environments have access to critical source code and deployment credentials. The risk is amplified in collaborative environments common in European tech sectors, including financial services, manufacturing, and public sector entities that rely on Kubernetes for cloud-native deployments. Additionally, the vulnerability could be exploited to implant persistent backdoors or disrupt supply chain integrity, which is a growing concern in Europe’s cybersecurity landscape.

The primary and most effective mitigation is to update the vscode-gitops-tools extension to the latest version beyond 0.20.2 where this vulnerability is patched. Organizations should enforce strict extension update policies and monitor for outdated versions. Additionally, implement the following practical controls: 1) Restrict cluster management permissions to trusted users only, minimizing exposure to malicious Flux objects. 2) Employ code review and validation processes for Flux manifests before they are applied or opened in VSCode, potentially using automated scanning tools to detect suspicious payloads. 3) Use containerized or sandboxed development environments to limit the impact of any code execution on the host system. 4) Educate developers about the risks of opening untrusted Flux objects and encourage vigilance against social engineering attempts. 5) Monitor endpoint behavior for unusual command execution patterns that may indicate exploitation attempts. 6) Integrate security tools that can detect anomalous VSCode extension activities or OS-level command executions triggered by developer tools.