Cybersecurity researchers reported in a technical analysis by OX Security that multiple security vulnerabilities were disclosed recently in four popular Visual Studio Code extensions that together have been installed more than 125 million times.
KEY FACTS
- Incident Multiple vulnerabilities found in four VS Code extensions
- Affected extensions Live Server, Code Runner, Markdown Preview Enhanced, Microsoft Live Preview
- Install base More than 125 million collective installs
- Severity Highest CVSS score 9.1 and additional scores 8.8 and 7.8
- Patch status Three CVEs remain unpatched, Live Preview fixed in version 0.4.16
Technical details include a flaw tracked as CVE-2025-65717 with a CVSS score of 9.1 that affects Live Server. When the extension is running an attacker can trick a developer into visiting a malicious web page that runs JavaScript to crawl the local development HTTP server on localhost:5500 and exfiltrate files to an attacker controlled domain.
CVE-2025-65716 affects Markdown Preview Enhanced and has a CVSS score of 8.8. A crafted markdown file can execute arbitrary JavaScript in the preview context which allows local port enumeration and data exfiltration to an external domain.
CVE-2025-65715 impacts Code Runner with a CVSS score of 7.8. The flaw can lead to arbitrary code execution if a user is tricked into modifying their settings.json file via phishing or social engineering.
A separate vulnerability in Microsoft Live Preview did not receive a CVE and was fixed silently by Microsoft in version 0.4.16 released in September 2025. The fix appears in the Live Preview changelog.
Recommended mitigations include avoiding untrusted configurations disabling or uninstalling non essential extensions restricting inbound and outbound network connections behind a firewall keeping extensions updated and turning off localhost based services when not in use. The disclosure notes that keeping vulnerable extensions installed can enable lateral movement and broad compromise from a single click or downloaded repository.
WHY IT MATTERS
The flaws enable local file theft and remote code execution on developer machines which can lead to wider organizational compromise. Removing or updating vulnerable extensions and restricting localhost access reduces immediate risk.