Downloads for Microsoft VS Code Extension 11M A serious flaw in Microsoft's widely used Visual Studio Code (VS Code) Live Preview extension, which has been downloaded over 11 million times, exposes developers to local file exfiltration and one-click cross-site scripting (XSS) attacks This article explores vulnerability live preview. . Researchers Nir Zadok and Moshe Siman Tov Bustan from OX Security found the vulnerability, which has since been fixed.

All Live Preview extension versions up to 0.4.16 are impacted by the problem. The local development server that runs Live Preview on a developer's computer is vulnerable because it handles untrusted input improperly. This locally hosted server could receive unauthenticated HTTP requests from a malicious website, which would enable attackers to list all of the files in the developer's root directory.

Threat actors could take advantage of a reflected XSS vulnerability in Live Preview's file handling logic by inserting a specially designed JavaScript payload. This vulnerability would enable them to gain access to private local files, including source code, environment configuration files (.env), and API keys, and then exfiltrate this information to a server under the control of the attacker. OX Security claims that on August 7, 2025, Microsoft was notified of the vulnerability in a responsible manner.

Microsoft initially categorized it as a low-severity issue, pointing out that it necessitates particular user interaction and conditions. But on September 11, 2025, a silent patch in version 0.4.16 was made available, fixing the XSS problem without being acknowledged by the general public. In order to properly sanitize input and neutralize the attack vector, researchers confirmed that the patch included an escapeHTML function.

To avoid possible exploitation, developers are strongly encouraged to update to the most recent version right away. Systems using out-of-date Live Preview versions run the risk of exposing data, particularly if the extension is left open while visiting unreliable websites. Situations of Exploitation The attack necessitates very little user involvement.

A developer using Live Preview may automatically send requests to the local Live Preview server (usually located at localhost:3000) when they visit a compromised or malicious webpage. This would enable JavaScript-based payloads to silently extract configuration files and give the attacker access to internal paths.

To lessen exposure: Update on Recommendation Action Update Live Preview software to version 0.4.16 or higher. Turn Off Extensions Unused IDE extensions should be disabled or removed. Limit Services To restrict access to local development services, use a firewall.

Turn off localhost services. When not in use, disable localhost-based services. Typical Updates Regularly apply updates across all development tools Given the widespread use of VS Code in software development, this finding underscores the importance of securing developer environments and minimizing unnecessary local exposure during testing., LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.