Popular VSCode Extensions Vulnerable to Security Threats: A Growing Concern for Developers
Critical Vulnerabilities in Popular VSCode Extensions Put Developers at Risk
Multiple security flaws have been discovered in widely used Visual Studio Code (VSCode) extensions, exposing developers to potential attacks. The vulnerabilities, which range from high to critical severity, affect the Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview extensions.
Discovery and Disclosure
Researchers at Ox Security identified the flaws and attempted to disclose them to the maintainers in June 2025. However, the researchers claim that they received no response.
VSCode extensions are add-ons that enhance the functionality of Microsoft’s integrated development environment (IDE). They run with significant access to local development environments, including files, terminals, and network resources. The vulnerable extensions have millions of downloads, with Live Server having over 72 million downloads, Code Runner with 37 million, and Markdown Preview Enhanced with 8.5 million.
Vulnerabilities and Risks
The CVE-2025-65717 critical vulnerability in the Live Server extension can be exploited for remote code execution, allowing an attacker to access sensitive files on a developer’s machine. The CVE-2025-65715 vulnerability in the Code Runner extension has a high-severity score of 8.8 and can also be exploited for remote code execution. Additionally, a one-click XSS vulnerability was discovered in versions of Microsoft Live Preview before 0.4.16, which can be exploited to access sensitive files.
The flaws also affect Cursor and Windsurf, AI-powered VSCode-compatible alternative IDEs. According to Ox Security’s report, the risks associated with a threat actor leveraging these issues include pivoting on the network and stealing sensitive details like API keys and configuration files.
Mitigation and Recommendations
To mitigate these risks, developers are advised to avoid running localhost servers unless necessary, opening untrusted HTML files while running, and applying untrusted configurations or pasting snippets into settings.json. It is also recommended to remove unnecessary extensions and only install those from reputable publishers, while monitoring for unexpected setting changes.
The discovery of these vulnerabilities highlights the importance of securing the development environment and the need for developers to be cautious when installing and using extensions. By taking proactive measures, developers can reduce the risk of attacks and protect their sensitive data.
By taking proactive measures, developers can reduce the risk of attacks and protect their sensitive data.
About Author
English