Developers using popular Visual Studio Code (VSCode) extensions may be at risk of cyber attacks due to vulnerabilities with high to critical severity ratings. These extensions, collectively downloaded over 128 million times, could potentially be exploited to steal local files and execute code remotely.

The affected extensions include Live Server (CVE-2025-65715), Code Runner (CVE-2025-65716), Markdown Preview Enhanced (CVE-2025-65717), and Microsoft Live Preview. These security issues were discovered by researchers at Ox Security, who attempted to disclose them since June 2025. Unfortunately, no maintainer responded to their warnings.

Remote Code Execution Risks in IDE

VSCode extensions serve as add-ons that enhance the functionality of Microsoft’s integrated development environment (IDE). They provide additional language support, debugging tools, themes, and customization options, running with significant access to the local development environment.

Ox Security’s reports on the vulnerabilities in these extensions warn that maintaining them could expose corporate environments to lateral movement, data exfiltration, and system takeover by threat actors.

For example, the critical vulnerability in the Live Server extension could allow attackers to steal local files by directing victims to a malicious webpage. Similarly, the Code Runner extension’s vulnerability enables remote code execution by manipulating the extension’s configuration file.

The Markdown Preview Enhanced extension, with a high-severity score, can be exploited to execute JavaScript through a maliciously crafted Markdown file. Additionally, the Microsoft Live Preview extension poses a one-click XSS vulnerability, potentially granting access to sensitive files on a developer’s machine.

The risks associated with these vulnerabilities extend to alternative IDEs such as Cursor and Windsurf, highlighting the importance of vigilant security practices among developers.

Protective Measures for Developers

Developers are advised to refrain from running localhost servers unnecessarily, avoid opening untrusted HTML files while servers are running, and exercise caution when applying untrusted configurations or snippets in settings.json.

Furthermore, it is recommended to uninstall unnecessary extensions, install only reputable extensions from trusted publishers, and monitor for any unexpected setting changes that could indicate a security breach.

Modern IT infrastructure demands automation to keep pace with rapid advancements. Discover how automated response systems can streamline workflows and enhance reliability in the new Tines guide.

Get the guide