Multiple security vulnerabilities have been identified in four widely-used Microsoft Visual Studio Code (VS Code) extensions, according to cybersecurity researchers. These flaws, if exploited, could enable malicious actors to steal sensitive local files and execute arbitrary code remotely on a developer’s machine, posing a significant threat to software development environments.
VS Code Extension Vulnerabilities Pose Major Security Risk
The affected extensions – Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview – collectively boast over 125 million installations. Researchers from OX Security highlighted in a recent report that a single compromised extension, or even one vulnerability within an extension, can be sufficient for attackers to initiate lateral movement within a network and potentially compromise entire organizations.
The discovery underscores the critical importance of vetting and managing third-party code within development toolchains. As developers increasingly rely on extensions to enhance productivity and streamline workflows, they may inadvertently introduce significant security risks if these tools are not adequately secured or monitored.
Detailed Vulnerability Analysis
OX Security researchers detailed several specific vulnerabilities discovered:
Live Server Extension Vulnerability (CVE-2025-65717)
This vulnerability, assigned a CVSS score of 9.1, allows attackers to exfiltrate local files. By tricking a developer into visiting a malicious website while the Live Server extension is active, embedded JavaScript can crawl and extract files from the local development HTTP server running on localhost:5500. These files can then be transmitted to a domain controlled by the attacker. This vulnerability reportedly remains unpatched.
Markdown Preview Enhanced Extension Vulnerability (CVE-2025-65716)
With a CVSS score of 8.8, this flaw enables attackers to execute arbitrary JavaScript code. This can be achieved by the user uploading a crafted markdown (.md) file. Successful exploitation allows for local port enumeration and subsequent data exfiltration to an attacker-controlled domain. This vulnerability is also noted as remaining unpatched.
Code Runner Extension Vulnerability (CVE-2025-65715)
Rated with a CVSS score of 7.8, this vulnerability in the Code Runner extension allows attackers to execute arbitrary code. The attack vector involves convincing a user to alter the “settings.json” file through phishing or social engineering tactics. Like the aforementioned vulnerabilities, this issue is also reported as unpatched.
Microsoft Live Preview Extension Vulnerability
While not assigned a specific CVE identifier, a vulnerability in Microsoft’s own Live Preview extension allows attackers to access sensitive files on a developer’s machine. This can occur if a victim is tricked into visiting a malicious website while the extension is running. Specially crafted JavaScript requests can then target localhost to enumerate and exfiltrate sensitive files. Microsoft reportedly fixed this vulnerability silently in version 0.4.16, released in September 2025.
Mitigation Strategies for Developers and Organizations
To fortify development environments against such threats, cybersecurity experts recommend several key practices. It is crucial to avoid applying configurations from untrusted sources. Additionally, disabling or uninstalling non-essential extensions can significantly reduce the attack surface. Hardening the local network by implementing a firewall to restrict both inbound and outbound connections is also advised.
Furthermore, developers should make it a habit to periodically update their extensions to the latest versions, which often include security patches. When not in active use, turning off localhost-based services can prevent potential exploitation. As OX Security pointed out, “Poorly written extensions, overly permissive extensions, or malicious ones can execute code, modify files, and allow attackers to take over a machine and exfiltrate information.”
The immediate threat posed by keeping vulnerable extensions installed cannot be overstated. Organizations must recognize that a single click or the download of a compromised repository could lead to a complete security breach. The ongoing discovery of these VS Code extension vulnerabilities highlights the need for continuous vigilance and robust security protocols within software development lifecycles.
Moving forward, the focus will likely be on enhanced security auditing of popular developer tools and the implementation of more rigorous vetting processes for extensions published on marketplaces. Developers and organizations are urged to review their current extension usage and apply necessary security measures promptly.