Popular VSCode Extensions Expose Developers to Security Risks Due to Unaddressed Flaws

Multiple Vulnerabilities Discovered in Popular Visual Studio Code Extensions

Multiple vulnerabilities have been discovered in popular Visual Studio Code (VSCode) extensions, posing a significant risk to developers and their corporate environments. The affected extensions are Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview, with a combined user base of over 120 million.

Vulnerabilities Discovered

The security issues, which range from high to critical severity, were identified by researchers at Ox Security in June 2025. Despite attempts to disclose the vulnerabilities to the maintainers, no response was received.

What are VSCode Extensions?

VSCode extensions are add-ons that enhance the functionality of Microsoft’s integrated development environment (IDE). They can add language support, debugging tools, themes, and other features, but also run with significant access to the local development environment, including files, terminals, and network resources.

Risk of Exploitation

The vulnerabilities can be exploited to gain remote code execution (RCE) in the IDE, allowing attackers to move laterally, exfiltrate data, and take control of the system. The flaws also apply to Cursor and Windsurf, AI-powered VSCode-compatible alternative IDEs.

Discovered Vulnerabilities

• CVE-2025-65715: A critical vulnerability in the Live Server extension, with over 72 million users, which can be exploited for RCE.
• CVE-2025-65716: A high-severity vulnerability in the Code Runner extension, with 37 million users, which can also be exploited for RCE.
• CVE-2025-65717: A critical vulnerability in the Markdown Preview Enhanced extension, with 8.5 million users, which can be exploited for RCE.
• A one-click XSS vulnerability in versions of Microsoft Live Preview before 0.4.16, which can be exploited to access sensitive files on a developer’s machine.

Mitigation and Recommendations

Ox Security’s report highlights the risks associated with a threat actor leveraging these issues, including pivoting on the network and stealing sensitive details like API keys and configuration files.

To mitigate these risks, developers are advised to avoid running localhost servers unless necessary, opening untrusted HTML files while running, and applying untrusted configurations or pasting snippets into settings.json. It is also recommended to remove unnecessary extensions and only install those from reputable publishers, while monitoring for unexpected setting changes.

By taking these precautions, developers can reduce the risk of exploitation and protect their corporate environments from potential attacks.