Critical Vulnerabilities Discovered in Popular VS Code Extensions Installed by 125 Million Users

Critical-Vulnerabilities-Discovered-in-Popular-VS-Code-Extensions-Installed-by-125-Million-Usersdata

Critical Vulnerabilities Discovered in Popular VS Code Extensions

A recent investigation by cybersecurity researchers has uncovered multiple security vulnerabilities in four widely used Microsoft Visual Studio Code (VS Code) extensions. These flaws, if exploited, could allow threat actors to steal sensitive files and execute code remotely. The affected extensions, which have been installed over 125 million times, are Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview.

Vulnerabilities Identified

The researchers found that a single malicious extension or vulnerability within an extension can be enough to compromise an entire organization.

“Our research demonstrates that a hacker needs only one malicious extension, or a single vulnerability within one extension, to perform lateral movement and compromise entire organizations,” said OX Security researchers Moshe Siman Tov Bustan and Nir Zadok.

  • CVE-2025-65717 (CVSS score: 9.1): A vulnerability in Live Server allows attackers to exfiltrate local files by tricking a developer into visiting a malicious website. The extension’s JavaScript code can crawl and extract files from the local development HTTP server and transmit them to a domain under the attacker’s control. This vulnerability remains unpatched.
  • CVE-2025-65716 (CVSS score: 8.8): A vulnerability in Markdown Preview Enhanced enables attackers to execute arbitrary JavaScript code by uploading a crafted markdown (.md) file. This allows local port enumeration and exfiltration to a domain under the attacker’s control. This vulnerability remains unpatched.
  • CVE-2025-65715 (CVSS score: 7.8): A vulnerability in Code Runner allows attackers to execute arbitrary code by convincing a user to alter the “settings.json” file through phishing or social engineering. This vulnerability remains unpatched.
  • A vulnerability in Microsoft Live Preview allows attackers to access sensitive files on a developer’s machine by tricking a victim into visiting a malicious website. This enables specially crafted JavaScript requests targeting the localhost to enumerate and exfiltrate sensitive files. Although this vulnerability was fixed silently by Microsoft in version 0.4.16 released in September 2025, no CVE was assigned.

Protecting Development Environments

To protect development environments, it is essential to avoid applying untrusted configurations, disable or uninstall non-essential extensions, harden the local network behind a firewall, periodically update extensions, and turn off localhost-based services when not in use.

“Poorly written extensions, overly permissive extensions, or malicious ones can execute code, modify files, and allow attackers to take over a machine and exfiltrate information,” warned OX Security.

Organizations must take immediate action to address these vulnerabilities, as keeping them installed poses an immediate threat to their security posture.



About Author

en_USEnglish