Critical Vulnerabilities Found in Popular VS Code Extensions
Multiple vulnerabilities identified in widely used Visual Studio Code extensions present significant security risks, potentially affecting over 125 million installations. The flaws, which remain unpatched for several extensions, could allow remote attackers to exfiltrate files and execute arbitrary code within developer environments.
Recent research revealed three major vulnerabilities: CVE-2025-65717 in the Live Server extension, which enables local file exfiltration via malicious webpages; CVE-2025-65716 in Markdown Preview Enhanced that facilitates arbitrary JavaScript execution through crafted Markdown files; and CVE-2025-65715 in Code Runner, allowing attackers to execute unauthorized commands by manipulating configuration files. A separate issue in Microsoft Live Preview has also been addressed silently but lacks a CVE identifier. All these vulnerabilities could lead to sensitive data theft and unauthorized code execution.
These extensions operate with elevated privileges and extensive access to developer systems, creating a fertile ground for exploitation. Once compromised, attackers can execute commands, delete files, and gain persistent access to workstations. The implications extend beyond individual workstations, posing risks to broader organizational networks due to potential lateral movement through compromised systems.
This situation matters significantly as it illustrates the increasing threat landscape within modern development workflows. With developers often unaware of these vulnerabilities, malicious actors may easily exploit them to compromise entire systems, highlighting the need for robust security measures during software development.
Defenders should implement several countermeasures such as avoiding untrusted HTML files while localhost servers are active, limiting server operations, and applying only trusted extensions. Regular monitoring and patch management are essential to mitigate these risks and protect sensitive development environments.
No specific Indicators of Compromise (IOCs) were provided in the article.
Click here for the full article
