A security researcher discovered three vulnerabilities in Microsoft VSCode extensions and one in VSCode itself, earning a $7,500 bounty for a security mitigation bypass (CVE-2022-41042). The vulnerabilities allowed attackers to escape Webview sandboxes and exfiltrate local files, including sensitive SSH keys, through malicious SARIF files or websites.

The research focused on Microsoft's SARIF viewer and Live Preview extensions, which parse potentially untrusted input. The SARIF viewer vulnerability stemmed from unsafe HTML rendering using ReactMarkdown with `escapeHtml` set to `false`, enabling JavaScript injection. Combined with overly permissive `localResourceRoots` configuration that allowed filesystem access across all drives, this created a critical path for arbitrary file exfiltration.

Attackers could weaponize these flaws using DNS rebinding, CSP-bypassing techniques, and `srcdoc` iframes to steal files despite restrictive Content-Security-Policy headers. The researcher demonstrated fully working exploits showing how visiting a malicious website while an extension runs in the background could compromise an entire system. The findings underscore the importance of proper Webview configuration and input sanitization in VSCode extensions that handle untrusted data.