A recently discovered vulnerability in Microsoft’s widely used Visual Studio Code (VS Code) Live Preview extension poses a significant security risk, affecting developers with over 11 million downloads. The flaw, identified by OX Security researchers Nir Zadok and Moshe Siman Tov Bustan, allows for one-click cross-site scripting (XSS) and local file exfiltration attacks.
Details of the Vulnerability
This security issue impacts all Live Preview versions up to 0.4.16. It stems from inadequate handling of untrusted input within the local development server utilized by the extension. Exploitation of this flaw enables a malicious website to send unauthorized HTTP requests to a developer’s local server, potentially revealing files in the root directory.
Threat actors can exploit this by injecting a JavaScript payload into the Live Preview’s file handling logic, leading to a reflected XSS vulnerability. This breach allows attackers to access sensitive files such as environment configurations, API keys, and source code, which can then be extracted to an external server.
Microsoft’s Response and Patch
OX Security reported the vulnerability to Microsoft on August 7, 2025. Initially rated as a low-severity issue due to specific conditions and user interaction required, Microsoft released a silent patch on September 11, 2025, with version 0.4.16. The update included an escapeHTML function to sanitize inputs and mitigate the attack vector.
Developers are urged to update their Live Preview extension to the latest version immediately to protect against potential exploitation. Systems running older versions with the extension active while visiting untrusted sites are at increased risk of data exposure.
Preventative Measures and Recommendations
The attack scenario requires minimal interaction. If a developer has Live Preview active, accessing a compromised webpage can automatically trigger requests to the local server, allowing unauthorized access to internal paths and enabling data extraction via JavaScript payloads.
- Update Software: Upgrade Live Preview to version 0.4.16 or later.
- Disable Extensions: Remove or disable unused IDE extensions.
- Restrict Services: Use a firewall to limit access to local development services.
- Disable Localhost Services: Turn off localhost-based services when not in use.
- Routine Updates: Regularly apply updates across all development tools.
Given the extensive use of VS Code in software development, this incident highlights the critical need to secure developer environments and reduce unnecessary local exposure during testing phases. Stay informed on cybersecurity updates by following us on Google News, LinkedIn, and X. Contact us to feature your stories.
