In a recent revelation, cybersecurity experts have uncovered significant security vulnerabilities in four widely used Microsoft Visual Studio Code (VS Code) extensions. These flaws, if exploited, could enable malicious actors to steal sensitive local files and execute unauthorized code remotely. The affected extensions, installed over 125 million times collectively, include Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview.
Critical Vulnerabilities Discovered
Security researchers from OX Security, Moshe Siman Tov Bustan and Nir Zadok, highlighted the potential impact of these vulnerabilities. Their report indicates that a single compromised extension or vulnerability can lead to widespread organizational security breaches. The vulnerabilities identified present a severe risk, with the potential to allow attackers to perform lateral movement within networks.
The details of these vulnerabilities are alarming. One such flaw, identified as CVE-2025-65717 with a CVSS score of 9.1, exists in the Live Server extension. This vulnerability can be exploited by deceiving developers into visiting malicious websites, leading to the exfiltration of local files. Similarly, CVE-2025-65716, affecting Markdown Preview Enhanced, allows arbitrary JavaScript code execution through crafted markdown files. Both vulnerabilities remain unpatched.
Impact on Development Environments
The vulnerabilities extend to Code Runner, with CVE-2025-65715 scoring 7.8 on the CVSS scale. Attackers can exploit this by manipulating the “settings.json” file, often through phishing tactics, to execute arbitrary code. The Microsoft Live Preview extension also contained a vulnerability that exposed sensitive files through malicious webpage visits, although it was discreetly patched in version 0.4.16 released in September 2025.
Such security lapses underscore the importance of maintaining a secure development environment. Developers are advised to avoid using untrusted configurations, disable or uninstall unnecessary extensions, and strengthen local network security with firewalls. Regular updates of extensions and disabling localhost services when not in use are also recommended to mitigate risks.
Recommendations for Developers
OX Security emphasizes the danger posed by poorly written or overly permissive extensions. These can permit code execution and file modifications, thereby enabling attackers to gain control over machines and extract critical information. The presence of vulnerable extensions represents an immediate threat to organizational security, as even a single click or downloaded repository can lead to comprehensive system compromise.
In conclusion, staying vigilant and proactive about extension security is crucial for developers. As these vulnerabilities remain a threat, implementing robust security measures is essential to safeguard development environments from potential exploitation.
