Cybersecurity researchers have revealed multiple security vulnerabilities in four popular Microsoft Visual Studio Code (VS Code) extensions that, if successfully exploited, could allow threat actors to steal local files and execute code remotely.
The extensions that have been installed over 125 million times in total are Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview.
“Our research shows that a hacker only needs one malicious extension, or a single vulnerability within one extension, to perform lateral movement and compromise an entire organization,” OX Security researchers Moshe Siman Tov Bustan and Nir Zadok said in a report shared with The Hacker News.
The vulnerability details are below.
CVE-2025-65717 (CVSS Score: 9.1) – A vulnerability in Live Server allows an attacker to extract local files, trick a developer into visiting a malicious website while an extension is running, and allow JavaScript embedded in the page to crawl a local development HTTP server running at localhost:5500, extract files, and send them to a domain under its control. (Unpatched) CVE-2025-65716 (CVSS score: 8.8) – Vulnerability in Markdown Preview Enhanced allows attackers to execute arbitrary JavaScript code by uploading a crafted Markdown (.md) file, allowing local port enumeration and exfiltration to controlled domains. (remains unpatched) CVE-2025-65715 (CVSS score: 7.8) – Vulnerability in Code Runner allows an attacker to execute arbitrary code by persuading a user to modify the “settings.json” file through phishing or social engineering. (Unpatched) A vulnerability in Microsoft Live Preview could allow an attacker to access sensitive files on a developer’s machine by tricking the victim into visiting a malicious website while the extension is running. This allows specially crafted JavaScript requests targeting localhost to enumerate and extract sensitive files. (No CVE, silently fixed by Microsoft in version 0.4.16 released September 2025)
To protect your development environment, it’s important to avoid applying untrusted configurations, disable or uninstall non-essential extensions, harden your local network behind a firewall to limit incoming and outgoing connections, regularly update extensions, and turn off localhost-based services when not in use.
“A poorly written, overly permissive, or malicious extension can execute code, modify files, or allow an attacker to take over your machine and exfiltrate information,” OX Security said. “Leaving a vulnerable extension installed on a machine is an immediate threat to an organization’s security posture. A single click or repository download can compromise everything.”
Source link
