Vulnerabilities in Agentforce Vibes Extension and MuleSoft Anypoint Code Builder for Desktop

Udgivelsesdato: Apr 22, 2026

Beskrivelse

Salesforce Security has identified and resolved vulnerabilities in the Agentforce Vibes extension and MuleSoft Anypoint Code Builder for Desktop environments. These vulnerabilities affect MuleSoft Anypoint Code Builder for Desktop Extension Pack versions prior to 1.12.1 and Agentforce Vibes extension versions prior to 3.3.0.

A CVSSv4 score of 9.0 is considered Critical severity.

Vulnerability Details

CVE-2025-10875 & CVE-2025-64320 — Arbitrary Command Execution via Agent Tool

A vulnerability in one of the agent's tools could allow arbitrary command execution without user approval. When combined with prompt injection, this vulnerability could enable remote code execution, potentially granting full access to the victim's Salesforce organization.

CVSSv4 Score: 9.0 (Critical)

CVE-2025-64318 & CVE-2025-64321 — Arbitrary Command Execution via Configuration Files

Editing special configuration files could allow arbitrary command execution. When combined with prompt injection, this could result in remote code execution, potentially granting full access to the victim's Salesforce organization.

CVSSv4 Score: 9.0 (Critical)

CVE-2025-64319 & CVE-2025-64322 — Arbitrary Command Execution via Workspace Files

Editing special workspace files could allow arbitrary command execution. When combined with prompt injection, this could result in remote code execution, potentially granting full access to the victim's Salesforce organization.

CVSSv4 Score: 9.0 (Critical)

Affected Versions

Product	Affected Versions	Patched Version
Agentforce Vibes Extension	Prior to 3.3.0	3.3.0 or later
MuleSoft Anypoint Code Builder for Desktop Extension Pack	Prior to 1.12.1	1.12.1 or later

Løsning

Both the Agentforce Vibes and Anypoint Code Builder - Platform Extension products require updates to their respective extensions to resolve these vulnerabilities. Typically, both products automatically retrieve the latest updates and prompt the user to apply them by clicking the Restart Extensions button in the Extensions pane.

Remediation Steps:

Customers who have disabled automatic updates or update checking must manually update the relevant extension to receive the necessary remediations. The steps for manually updating extensions are as follows:

If you have auto-updates disabled, you can look for extension updates by using the Show Extension Updates command that uses the @updates filter. This will display any available updates for your currently installed extensions. Select the Update button for the extension that needs to be updated (Agentforce Vibes or Anypoint Code Builder - Platform Extension). The update will be installed, and you'll be prompted to restart the extension host (Restart Extensions).
If automatic update checking is disabled, you can manually check for available extension updates using the Check for Extension Updates command. This allows you to identify and then update the necessary extensions, such as Agentforce Vibes or Anypoint Code Builder - Platform Extension.

Vidensartikelnummer

005228032

Løste denne artikel dit problem?

Giv os besked, så vi kan forbedre os!

General Information

Required Cookies

Functional Cookies

Advertising Cookies