Cybersecurity researchers have identified multiple high severity vulnerabilities in four widely used extensions for Microsoft Visual Studio Code that together account for more than 125 million installs. The affected extensions include Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. According to findings shared by OX Security, successful exploitation of these flaws could allow attackers to exfiltrate sensitive local files, execute arbitrary code, and potentially move laterally across development environments within organizations.
Researchers Moshe Siman Tov Bustan and Nir Zadok of OX Security said their analysis demonstrates that a single malicious extension or even one exploitable flaw within an extension can be sufficient to compromise an entire organization. One of the most critical issues, tracked as CVE 2025 65717 with a CVSS score of 9.1, affects Live Server. The flaw allows attackers to exfiltrate local files by tricking a developer into visiting a malicious website while the extension is active. Malicious JavaScript embedded in the site can interact with the local development server running on localhost port 5500, crawl accessible files, and transmit them to an attacker controlled domain. The vulnerability remains unpatched. Another issue, CVE 2025 65716 with a CVSS score of 8.8, impacts Markdown Preview Enhanced and enables arbitrary JavaScript execution through a crafted markdown file, facilitating local port enumeration and data exfiltration. This flaw also remains unpatched.
A third vulnerability, CVE 2025 65715 with a CVSS score of 7.8, was discovered in Code Runner. It allows arbitrary code execution if a user is persuaded through phishing or social engineering to modify the settings.json configuration file. Researchers noted that this attack path highlights the risks posed by configuration manipulation in development environments. In addition, a vulnerability was identified in Microsoft Live Preview that allowed attackers to access sensitive files by luring users to malicious websites while the extension was running. Specially crafted JavaScript requests could target localhost services to enumerate and extract files. Although no CVE was assigned to this issue, Microsoft addressed it silently in version 0.4.16 released in September 2025.
OX Security emphasized that poorly designed, overly permissive, or malicious extensions can execute code, modify files, and enable full system compromise. The researchers warned that leaving vulnerable extensions installed poses an immediate security risk, as it may take only a single click or the download of a repository to trigger exploitation. To reduce exposure, they recommend avoiding untrusted configurations, disabling or removing non essential extensions, placing local development environments behind properly configured firewalls to limit inbound and outbound connections, updating extensions regularly, and disabling localhost based services when not required. The findings underscore the growing importance of securing developer toolchains as threat actors increasingly target software development environments to gain access to sensitive codebases and internal systems.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
