Critical Flaws Exposed in 4 Popular VS Code Extensions Used by 125 Million Developers
Multiple Security Vulnerabilities Discovered in Popular VS Code Extensions
Cybersecurity researchers have identified critical flaws in four widely-used Microsoft Visual Studio Code (VS Code) extensions, which have been installed over 125 million times.
The vulnerable extensions, including Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview, can be exploited by threat actors to steal sensitive files and execute malicious code remotely.
Live Server Extension Vulnerability
The first vulnerability, tracked as CVE-2025-65717, affects the Live Server extension and carries a CVSS score of 9.1.
This flaw allows attackers to exfiltrate local files by tricking developers into visiting a malicious website while the extension is running.
The embedded JavaScript code can crawl and extract files from the local development HTTP server, transmitting them to a domain controlled by the attackers.
This vulnerability remains unpatched.
Markdown Preview Enhanced Extension Vulnerability
Another vulnerability, CVE-2025-65716, affects the Markdown Preview Enhanced extension and has a CVSS score of 8.8.
This flaw enables attackers to execute arbitrary JavaScript code by uploading a crafted markdown (.md) file, allowing local port enumeration and exfiltration to a domain under their control.
This vulnerability also remains unpatched.
Code Runner Extension Vulnerability
The Code Runner extension is affected by CVE-2025-65715, which has a CVSS score of 7.8.
This vulnerability allows attackers to execute arbitrary code by convincing users to alter the “settings.json” file through phishing or social engineering tactics.
This vulnerability remains unpatched.
Microsoft Live Preview Extension Vulnerability
A fourth vulnerability affects the Microsoft Live Preview extension, allowing attackers to access sensitive files on a developer’s machine by tricking them into visiting a malicious website while the extension is running.
This vulnerability was silently fixed by Microsoft in version 0.4.16, released in September 2025.
Mitigation and Recommendations
To mitigate these risks, developers should avoid applying untrusted configurations, disable or uninstall non-essential extensions, and harden their local network behind a firewall to restrict inbound and outbound connections.
Regularly updating extensions and turning off localhost-based services when not in use can also help secure the development environment.
According to OX Security researchers Moshe Siman Tov Bustan and Nir Zadok, “Poorly written extensions, overly permissive extensions, or malicious ones can execute code, modify files, and allow attackers to take over a machine and exfiltrate information.
Keeping vulnerable extensions installed on a machine is an immediate threat to an organization’s security posture: it may take only one click, or a single vulnerability within one extension, to perform lateral movement and compromise entire organizations.”
About Author
English