Code Extensions Vulnerabilities: 128 Million Users at Risk Four well-known Visual Studio Code extensions have three serious flaws. More than 128 million downloads of these extensions have been made. The CVE-2025-65715, CVE-2025-65716, and CVE-2025-65717 vulnerabilities have been identified.

The developer's own computer is a systemic blind spot in contemporary software supply chain security, according to the OX Security Research team's findings, which were later validated on Cursor and Windsurf IDEs. The most sensitive organizational assets, including database configurations, environment variables, business logic, API keys, and customer data, are stored and interacted with by developers in Integrated Development Environments (IDEs). An open door to everything is provided by extensions that function with broad system-level permissions.

OX Security claims that all it takes to allow lateral movement and compromise a whole organization is one malicious or weak extension. Vulnerability Affected Versions CVE-2025-65717 CVE ID Extension CVSS Score Downloads 72M+ remote file exfiltration on a live server 9.1 CVE-2025-65715 for all versions Code Runner 7.8 37M+ Remote Code Execution CVE-2025-65716 for all versions Preview of Markdown Improved 8.8 8.5M+ JavaScript execution that allows for data exfiltration and local port scanning No CVE was found in any of the versions. Microsoft Live Preview — 11M+ v0.4.16+ fixes the one-click XSS to full IDE file exfiltration.

Extensions function within the IDE as privileged administrative processes. They are able to communicate over the local network, read and alter files, and run code without triggering the usual security alerts.

Via Live Server's localhost feature, attackers can remotely exfiltrate files from a developer's computer thanks to CVE-2025-65717, which has a 9.1 (Critical) rating. CVE-2025-65716 in the preview of Markdown JavaScript execution that can scan local ports and steal data is made possible by Enhanced (CVSS 8.8), and remote code execution—the worst-case scenario for any development environment—is made possible by CVE-2025-65715 in Code Runner (CVSS 7.8). An XSS flaw in Microsoft's Live Preview extension allowed for complete IDE file exfiltration; it was discreetly fixed in version 0.4.16 without a CVE being issued or OX Security receiving public credit.

In July and August 2025, OX Security responsibly notified the corresponding maintainers of all three vulnerabilities via social media, GitHub, and email.

According to OX Security, as of the time this article was published, none of the maintainers had addressed a failure that demonstrates the lack of an enforced accountability framework for extension security in well-known IDE marketplaces. IDE extensions should be examined by security teams and developers in the same way that third-party software dependencies are examined. It is recommended that organizations audit installed extensions right away and eliminate any that are not necessary.

Developers should avoid opening untrusted HTML files while any localhost server is running, and localhost servers should not be left running inactively. settings and other configurations.Never alter JSON with snippets from chats, emails, or unconfirmed repositories.

At the platform level, OX Security advocates for enforceable patch response deadlines for maintainers of popular extensions, AI-powered automated scanning of new submissions, and required security reviews prior to extensions entering marketplaces. The current "install at your own risk" model poses an intolerable and increasing organizational risk as AI coding assistants drive rapid increases in extension reliance. For daily cybersecurity updates, check out LinkedIn and X.

To have your stories featured, get in touch with us.