Hello Ahmad,
Thanks for letting me know.
This fork is almost fully 1:1 with microsoft’s repo, the difference is only minor bug fixes and improvements.

I cannot see technical details about the vulnerability on microsoft’s page, do you know where can I find additional details so I could fix this ASAP.

@ahmsec Good catch but I don’t think it is why Microsoft stopped development. Have you read
their statement over in the repo?

@MatthewSteeves Fair enough. When I reported this vulnerability to Microsoft, they said their resolution was to deprecate the plugin. So the vulnerability may have been a contributing factor, if not the entire reason, for deprecation.

@lersi The core issue is that the plugin launches an unauthenticated localhost webserver. This webserver exposes sensitive capabilities. Anyone who can send network requests to this webserver (say a malicious webpage) can exploit the capabilities of the webserver.

To reproduce:

1. Activate the plugin
2. Run sudo netstat -tunpl and note the webserver's port
3. Run curl -X POST -H 'Content-Type: application/json' --data '{"link": "https://www.example.com/"}' http://localhost:55842/api/openlink (but first update the port).

The full RCE exploit is a bit more involved. I plan to share it at a later time. But the crux of the matter is this exposed webserver.

My suggestion would be to remove the webserver entirely, and use a different IPC mechanism between the UI and the code that invokes arduino-cli.

@ahmsec Ahh ok - interesting! Given their response, I would agree it may well have factored in. Thanks for the additional background.