Multiple security flaws in four well-known Microsoft Visual Studio Code (VS Code) extensions have been found by cybersecurity researchers This article explores code extensions cybersecurity. . If successfully exploited, these flaws could enable threat actors to remotely execute code and steal local files.

Together, the extensions—Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview—have been installed over 125 million times. CVE-2025-65717 (CVSS score: 9.1) is a vulnerability in Live Server that causes JavaScript embedded in the page to crawl and extract files from the local development HTTP server running at localhost:5500, allowing attackers to exfiltrate local files and fool developers into visiting malicious websites while the extension is running. The files are then transmitted to a domain under the attacker's control.

CVE-2025-65716 (CVSS score: 8.8) is an unpatched vulnerability in Markdown Preview. improved to enable local port enumeration and exfiltration to a domain under the attacker's control, enabling them to upload a specially created markdown (.md) file and run arbitrary JavaScript code. (Not yet patched) CVE-2025-65715 (score of 7.8 on CVSS) A flaw in Code Runner that lets hackers run arbitrary code by tricking a user into changing the "settings.json" file via social engineering or phishing.

(Not yet patched) By tricking a victim into visiting a malicious website while the extension is running, a Microsoft Live Preview vulnerability allows attackers to access sensitive files on a developer's computer. This allows specially crafted JavaScript requests to target the localhost, enumerating and exfiltrating sensitive files.

(No CVE; Microsoft silently fixed it in version 0.4.16, which was made available in September 2025.) Avoid using untrusted configurations, disable or remove unnecessary extensions, harden the local network behind a firewall to prevent incoming and outgoing connections, update extensions on a regular basis, and shut down localhost-based services when not in use in order to secure the development environment.Malicious, poorly written, or excessively permissive extensions can alter files, run code, and give hackers access to a computer so they can steal data, according to OX Security. "An organization's security posture is immediately threatened by keeping vulnerable extensions installed on a machine: all it takes is one click or a downloaded repository to compromise everything."