Critical Vulnerabilities Discovered in 4 Popular VS Code Extensions Used by 125 Million Developers
Critical Security Flaws Discovered in Popular Visual Studio Code Extensions
A recent investigation by cybersecurity researchers has uncovered multiple security vulnerabilities in four widely used Microsoft Visual Studio Code (VS Code) extensions. These extensions, which have been installed over 125 million times, are Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. If successfully exploited, these vulnerabilities could allow threat actors to steal sensitive files and execute code remotely, posing a significant risk to developers and organizations.
Vulnerabilities Discovered
The researchers from OX Security identified four distinct vulnerabilities, each with a unique set of implications. The first vulnerability, tracked as CVE-2025-65717, affects the Live Server extension and carries a CVSS score of 9.1. This flaw enables attackers to exfiltrate local files by tricking a developer into visiting a malicious website while the extension is running. The malicious website can then execute JavaScript code that crawls and extracts files from the local development HTTP server, transmitting them to a domain under the attacker’s control. This vulnerability remains unpatched.
The second vulnerability, CVE-2025-65716, affects the Markdown Preview Enhanced extension and has a CVSS score of 8.8. This flaw allows attackers to execute arbitrary JavaScript code by uploading a crafted markdown file, enabling local port enumeration and exfiltration to a domain under their control. This vulnerability also remains unpatched.
The third vulnerability, CVE-2025-65715, affects the Code Runner extension and carries a CVSS score of 7.8. This flaw enables attackers to execute arbitrary code by convincing a user to alter the “settings.json” file through phishing or social engineering tactics. This vulnerability remains unpatched.
A fourth vulnerability was discovered in the Microsoft Live Preview extension, which allows attackers to access sensitive files on a developer’s machine by tricking a victim into visiting a malicious website while the extension is running. This flaw was silently fixed by Microsoft in version 0.4.16, released in September 2025.
Mitigation and Recommendations
To mitigate these risks, developers are advised to exercise caution when installing and configuring VS Code extensions. This includes avoiding untrusted configurations, disabling or uninstalling non-essential extensions, hardening the local network behind a firewall, and regularly updating extensions. Additionally, developers should turn off localhost-based services when not in use.
According to OX Security, “Poorly written extensions, overly permissive extensions, or malicious ones can execute code, modify files, and allow attackers to take over a machine and exfiltrate information. Keeping vulnerable extensions installed on a machine is an immediate threat to an organization’s security posture: it may take only one click, or a single vulnerability within one extension, to perform lateral movement and compromise entire organizations.”
About Author
English