Three significant security vulnerabilities have been identified in four widely used Visual Studio Code extensions, putting millions of developers at risk. The vulnerabilities, known as CVE-2025-65715, CVE-2025-65716, and CVE-2025-65717, affect extensions with over 128 million downloads collectively.
Security Risks in Developer Tools
The OX Security Research team discovered these vulnerabilities, which were later confirmed on platforms such as Cursor and Windsurf IDEs. This revelation highlights a critical oversight in the security of modern software supply chains: the vulnerability of developers’ own systems.
Integrated Development Environments (IDEs) are crucial for developers, housing sensitive information like business logic, API keys, and customer data. Extensions with extensive system-level permissions could become potential entry points for security breaches.
Details of the Vulnerabilities
Each vulnerability presents unique threats. For instance, CVE-2025-65717, with a CVSS score of 9.1, allows remote file exfiltration via Live Server’s localhost. Similarly, CVE-2025-65716 in Markdown Preview Enhanced, rated 8.8, enables JavaScript execution leading to local port scanning and data extraction. CVE-2025-65715 in Code Runner, with a 7.8 score, poses a risk of remote code execution.
The Microsoft Live Preview extension was found to have an XSS vulnerability, enabling full IDE file exfiltration, which was patched in version 0.4.16 without public acknowledgment to OX Security.
Security Recommendations and Future Measures
OX Security disclosed these issues to the relevant maintainers in mid-2025, but there has been no response, underscoring the lack of accountability in extension security management. They advise developers to scrutinize IDE extensions like third-party software dependencies.
Developers should audit and remove non-essential extensions and avoid running localhost servers unnecessarily. OX Security advocates for mandatory security reviews for marketplace extensions, AI-driven scanning of new submissions, and enforceable patch timelines to mitigate risks.
As reliance on extensions grows, partly due to AI coding tools, the current security model is inadequate, posing an increasing threat to organizations. Robust security measures and accountability are essential to prevent future vulnerabilities.
