Cybersecurity researchers have recently identified critical vulnerabilities in four widely used Microsoft Visual Studio Code (VS Code) extensions: Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. Collectively, these extensions have been installed over 125 million times, underscoring the potential widespread impact of these security flaws.
Overview of the Vulnerabilities
The identified vulnerabilities could allow malicious actors to steal local files and execute code remotely on developers’ machines. The specific details of each vulnerability are as follows:
1. Live Server (CVE-2025-65717)
– Severity: CVSS score of 9.1
– Description: This vulnerability enables attackers to exfiltrate local files by tricking developers into visiting a malicious website while the extension is active. The embedded JavaScript in the malicious page can access and extract files from the local development HTTP server running at `localhost:5500` and transmit them to an attacker-controlled domain.
– Status: Unpatched
2. Markdown Preview Enhanced (CVE-2025-65716)
– Severity: CVSS score of 8.8
– Description: Attackers can execute arbitrary JavaScript code by uploading a specially crafted markdown (`.md`) file. This allows for local port enumeration and data exfiltration to a domain under the attacker’s control.
– Status: Unpatched
3. Code Runner (CVE-2025-65715)
– Severity: CVSS score of 7.8
– Description: By convincing a user to modify the `settings.json` file through phishing or social engineering tactics, attackers can execute arbitrary code on the developer’s machine.
– Status: Unpatched
4. Microsoft Live Preview
– Description: This vulnerability allows attackers to access sensitive files on a developer’s machine by directing the victim to a malicious website while the extension is running. Specially crafted JavaScript requests can target the localhost to enumerate and exfiltrate sensitive files.
– Status: Fixed silently by Microsoft in version 0.4.16 released in September 2025
Implications for Developers and Organizations
The discovery of these vulnerabilities highlights the significant risks associated with using third-party extensions in development environments. As OX Security researchers Moshe Siman Tov Bustan and Nir Zadok noted, a single malicious extension or a vulnerability within an extension can enable attackers to perform lateral movements and compromise entire organizations.
Poorly written or overly permissive extensions can execute code, modify files, and allow attackers to take control of a machine and exfiltrate information. Maintaining vulnerable extensions on a machine poses an immediate threat to an organization’s security posture; it may take only one click or a downloaded repository to compromise everything.
Recommendations for Mitigation
To enhance the security of development environments, the following measures are recommended:
– Avoid Untrusted Configurations: Refrain from applying configurations from untrusted sources.
– Disable or Uninstall Non-Essential Extensions: Regularly review and remove extensions that are not essential to your development workflow.
– Network Hardening: Implement firewalls to restrict inbound and outbound connections, thereby reducing the attack surface.
– Regular Updates: Periodically update all extensions to ensure that the latest security patches are applied.
– Manage Localhost Services: Turn off localhost-based services when they are not in use to prevent unauthorized access.
Broader Context: Supply Chain Attacks in Development Tools
The vulnerabilities in these VS Code extensions are part of a broader trend of supply chain attacks targeting development tools. For instance, in July 2025, a supply chain attack targeted the Ethcode VS Code extension, which had been installed over 6,000 times. The attacker compromised the extension via a malicious pull request, introducing code that could download and execute a second-stage payload, potentially leading to the theft of cryptocurrency assets or poisoning of smart contracts.
Similarly, in October 2025, the self-spreading ‘GlassWorm’ malware infected multiple VS Code extensions, leveraging the Solana blockchain for command-and-control operations. This sophisticated attack aimed to harvest developer credentials and cryptocurrency wallet data, turning developer machines into conduits for further malicious activities.
The Importance of Vigilance
These incidents underscore the critical importance of vigilance when it comes to the security of development environments. Developers and organizations must be proactive in assessing the security of the tools and extensions they use. This includes conducting regular security audits, staying informed about known vulnerabilities, and implementing best practices for secure development.
Conclusion
The identification of critical vulnerabilities in popular VS Code extensions serves as a stark reminder of the potential risks associated with third-party development tools. By adopting a proactive approach to security, developers and organizations can mitigate these risks and protect their systems from potential exploitation.
