top of page
Search

Four VS Code Extensions with 125M+ Installs Contain Critical Flaws

  • 1 day ago
  • 2 min read

Key Findings


  • Cybersecurity researchers have disclosed multiple security vulnerabilities in four popular Microsoft Visual Studio Code (VS Code) extensions with over 125 million collective installs.

  • The vulnerable extensions are Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview.

  • If successfully exploited, these vulnerabilities could allow threat actors to steal local files and execute code remotely.

  • The researchers warn that a single malicious extension or vulnerability can enable lateral movement and compromise entire organizations.


Background


The four vulnerable VS Code extensions have been collectively installed more than 125 million times, making them widely used by developers worldwide. The security flaws discovered by the OX Security research team are as follows:


CVE-2025-65717 (CVSS score: 9.1) - Live Server


A vulnerability in the Live Server extension that allows attackers to exfiltrate local files by tricking a developer into visiting a malicious website when the extension is running. This can cause JavaScript embedded in the page to crawl and extract files from the local development HTTP server running at localhost:5500, and transmit them to a domain under the attacker's control.


CVE-2025-65716 (CVSS score: 8.8) - Markdown Preview Enhanced


A vulnerability in the Markdown Preview Enhanced extension that allows attackers to execute arbitrary JavaScript code by uploading a crafted markdown (.md) file. This can lead to local port enumeration and data exfiltration to a domain under the attacker's control.


CVE-2025-65715 (CVSS score: 7.8) - Code Runner


A vulnerability in the Code Runner extension that allows attackers to execute arbitrary code by convincing a user to alter the "settings.json" file through phishing or social engineering.


Microsoft Live Preview


A vulnerability in the Microsoft Live Preview extension that allows attackers to access sensitive files on a developer's machine by tricking a victim into visiting a malicious website when the extension is running. This enables specially crafted JavaScript requests targeting the localhost to enumerate and exfiltrate sensitive files.


Sources


  • https://thehackernews.com/2026/02/critical-flaws-found-in-four-vs-code.html

  • https://securityaffairs.com/188185/security/vs-code-extensions-with-125m-installs-expose-users-to-cyberattacks.html

Recent Posts

See All
APT Exploits Dell RecoverPoint Zero-Day Since 2024

Key Findings A suspected China-linked APT group, UNC6201, has been exploiting a critical zero-day vulnerability in Dell RecoverPoint for Virtual Machines since mid-2024. The vulnerability, tracked as

 
 
 

Comments

  • Youtube

© 2025 by Explain IT Again. Powered and secured by Wix

bottom of page