Critical VS Code Extension Vulnerabilities: 125 Million Installs At Risk

The Four Vulnerabilities At a Glance

OX Security researchers Moshe Siman Tov Bustan and Nir Zadok disclosed their findings on February 18, 2026, after a responsible disclosure process that began in mid-2025. The research covers four widely-used VS Code extensions and demonstrates something the security industry has been warning about for years: IDE extension security is a massive blind spot.

CVE-2025-65717: Live Server — File Exfiltration (CVSS 9.1)

Live Server is one of the most popular VS Code extensions ever made, with over 72 million installs. It spins up a local HTTP server (default: localhost:5500) so you can see live changes to your HTML/CSS/JS as you work. It's the bread and butter of frontend developers everywhere.

That same localhost server is the attack surface.

How the Attack Works

When Live Server is running, it serves your entire working directory over localhost. Browsers have a security model called same-origin policy that's supposed to prevent external websites from accessing localhost. The vulnerability lies in how Live Server handles CORS (Cross-Origin Resource Sharing) and how modern browsers expose localhost to external page scripts.

Attack flow:

1. Developer has Live Server running in VS Code (normal everyday workflow)
2. Attacker sends a malicious link via email, Slack, GitHub issue, Discord — anywhere developers spend time
3. Developer opens the link in their browser
4. JavaScript embedded in the malicious page makes requests to localhost:5500
5. Live Server responds and serves files from the developer's working directory
6. The malicious page harvests file contents and transmits them to attacker-controlled infrastructure
7. Developer sees nothing unusual — no prompts, no warnings

Why It's Still Unpatched

OX Security disclosed this to the Live Server maintainers in mid-2025 via email, GitHub, and social media outreach. There was no response. The extension hasn't received a meaningful security update, and as of February 2026, the vulnerability remains fully exploitable in all versions.

This is a maintainer abandonment problem. Live Server's last commit to the core codebase was years ago. It's a wildly popular extension maintained by a single developer who appears to have moved on.

CVE-2025-65716: Markdown Preview Enhanced — Arbitrary JS Execution (CVSS 8.8)

Markdown Preview Enhanced is the go-to markdown renderer for developers, technical writers, and researchers. It renders markdown with rich features: math equations (KaTeX/MathJax), diagrams (Mermaid, PlantUML), code highlighting, and custom CSS. Its install count runs into the tens of millions.

The problem: it renders user-controlled content in a context that allows JavaScript execution.

How the Attack Works

1. Attacker crafts a malicious .md markdown file
2. File contains embedded JavaScript payload in Markdown Preview Enhanced's custom syntax (e.g., within script tags, code blocks that auto-execute, or custom rendering directives)
3. Developer opens the file — common in code reviews, open-source contribution, or downloading documentation
4. Markdown Preview Enhanced renders the file and executes the JavaScript payload
5. Payload can perform local port enumeration (fingerprint what services are running)
6. Payload exfiltrates data to attacker-controlled domain

The attack requires the developer to open a file — but consider how often developers open untrusted markdown files: cloning a repo, reviewing a pull request, downloading docs, reading a tutorial someone shared. This is a realistic attack vector.

Like CVE-2025-65717, this remains unpatched as of today's disclosure.

CVE-2025-65715: Code Runner — Arbitrary Code Execution (CVSS 7.8)

Code Runner is the most convenient way to run code snippets in VS Code — highlight some Python, press play, see output. It supports dozens of languages and has tens of millions of installs.

It also trusts configuration that can come from version-controlled files.

How the Attack Works

Code Runner reads its execution commands from VS Code's settings.json file. This file can exist at the workspace level (inside the project folder), which means it can be committed to a repository.

1. Attacker creates a project with a malicious .vscode/settings.json
2. The settings file overrides Code Runner's execution commands for a particular language
3. Victim clones the repository and opens it in VS Code
4. Victim runs a code snippet (completely normal action)
5. Code Runner reads the malicious settings and executes attacker-specified commands with the developer's privileges
6. Arbitrary code runs on the developer's machine

The CVSS rating of 7.8 is lower because it requires user interaction (running a snippet). But for developers who habitually use Code Runner — and that's the entire point of installing it — that interaction is reflexive. This is a realistic social engineering vector, especially in open source contribution workflows.

Microsoft Live Preview: The One That Got Fixed (Silently)

Ironically, the one extension made by a trillion-dollar company is the one that actually got patched.

Microsoft's Live Preview extension had a similar flaw to CVE-2025-65717 — a malicious website could make specially crafted JavaScript requests to the extension's localhost server and enumerate and exfiltrate sensitive files. Microsoft fixed this silently in version 0.4.16, released in September 2025, without assigning a CVE or publishing a security advisory.

There's a lesson here: even when a fix exists, silent patching without CVE assignment leaves users in the dark. How many developers knew to look at the changelog of a preview extension? How many updated it specifically because of a security fix they didn't know about?

If you use Microsoft Live Preview: ensure you're running version 0.4.16 or later.

Real-World Attack Scenarios

Let's make this concrete. Here's how each vulnerability could realistically be used in the wild:

Scenario 1: The Phishing Email (CVE-2025-65717)

A developer receives an email that looks like a GitHub notification: "Security researcher found a vulnerability in your project — see details." They click the link. The page loads a "security report" while silently making requests to localhost:5500. Within seconds, their .env file containing AWS credentials, database passwords, and API keys has been exfiltrated. The developer sees a 404 error and thinks nothing of it.

Scenario 2: The Poisoned Repository (CVE-2025-65716)

An attacker submits a pull request to an open-source project, adding a new CONTRIBUTING.md file. The file looks normal but contains a hidden Markdown Preview Enhanced payload. A maintainer clones the branch to review it locally. When they open the file to read the contribution guidelines, their VS Code environment becomes compromised.

Scenario 3: The Malicious Tutorial (CVE-2025-65715)

A "getting started" repository is posted on Reddit, Hacker News, or a developer Discord. It contains a .vscode/settings.json that overrides Code Runner's Python executor. Any developer who clones it and presses Ctrl+Alt+N to run a snippet executes attacker code with their own user privileges.

The Lateral Movement Angle

OX Security's report specifically called out lateral movement: "A hacker needs only one malicious extension, or a single vulnerability within one extension, to perform lateral movement and compromise entire organizations." A compromised developer machine is rarely a dead end — it typically has:

• SSH keys for production servers
• AWS/GCP/Azure credentials
• Source code for internal tooling
• Access tokens for CI/CD pipelines
• VPN credentials
• Internal documentation and IP

Developer workstations are high-value targets. That's why these CVSS scores are as high as they are.

Bug Hunter Angle: What This Means for Your Work

For security researchers and bug bounty hunters, this research highlights several important points:

1. IDE Extension Security is an Emerging Target Class

Extensions run in a trusted context with full access to your file system, terminal, and network. Yet they receive far less security scrutiny than browser extensions, which face stricter store review processes. The VS Code Marketplace does security scanning, but it's catching malware, not architectural vulnerabilities in extension design.

If you're doing source code review or looking for novel attack surfaces, IDE extension abuse deserves attention in your methodology.

2. Localhost Services Are Not Safe from External Pages

The CVE-2025-65717 and Live Preview flaws are a reminder that localhost ≠ private. The Private Network Access spec (Chrome's mitigation) partially addresses this, but implementation is inconsistent. When building developer tools or testing internal web services, assume external pages can reach localhost.

3. Workspace Configuration Files Are Untrusted Input

The CVE-2025-65715 Code Runner flaw reinforces a broad principle: any configuration file that can be committed to a repository should be treated as potentially malicious. This includes .npmrc, Makefile, .env.example, post-install scripts in package.json, and now .vscode/settings.json. VS Code has addressed some of this with workspace trust prompts, but it's not foolproof.

4. Disclosure Without Response: A Documentation Opportunity

OX Security contacted Live Server, Markdown Preview Enhanced, and Code Runner maintainers repeatedly without response. This pattern — critical CVE, unresponsive maintainer, zero-day effectively public — is becoming increasingly common in the open source ecosystem. It's worth documenting in bug bounty reports when you find dependencies with these characteristics in targets' tech stacks.

What To Do Right Now

Immediate Actions (Do These Today)

1. Audit your installed extensions

Open VS Code and run:

code --list-extensions | grep -E "ritwickdey.liveserver|shd101wyy.markdown-preview-enhanced|formulahendry.code-runner|ms-vscode.live-server"

Or open the Extensions panel (Ctrl+Shift+X) and check manually.

2. Disable or uninstall the vulnerable extensions when not in use

VS Code makes this easy — right-click any extension and choose "Disable" or "Uninstall". For Live Server especially: only enable it when you're actively doing frontend development that requires it. Don't leave it running in the background during general browsing.

3. Update Microsoft Live Preview

If you have Microsoft Live Preview installed, ensure it's on version 0.4.16 or later. Check: Extensions panel → search "Live Preview" → click the extension → verify version number.

4. Never run localhost servers while browsing untrusted sites

This is the core mitigation for CVE-2025-65717. The attack requires your browser to be able to reach localhost:5500. If Live Server isn't running, there's no attack surface. Make it a habit: stop Live Server before doing anything else in the browser.

5. Treat workspace settings with suspicion

Before running Code Runner on a cloned repository, review .vscode/settings.json if it exists. Look for any code-runner.* configuration keys that specify custom executors or shell commands.

Longer-Term Mitigations

Tools for Securing Your Development Environment

The broader lesson from these vulnerabilities is that developer environments need the same security discipline as production systems. Here are tools and resources that can help:

Frequently Asked Questions

Is there a patch available for CVE-2025-65717 (Live Server)?

No. As of February 19, 2026, there is no patch. The maintainer has not responded to disclosure attempts. The only mitigation is to disable or uninstall Live Server, and never run it while browsing untrusted websites.

Am I only vulnerable if I'm on Windows?

No — these vulnerabilities affect all platforms where VS Code runs: Windows, macOS, and Linux. The core issue is the extension's localhost behavior, which is platform-agnostic.

Does VS Code's Workspace Trust feature protect me?

Partially. Workspace Trust can help with CVE-2025-65715 (Code Runner via settings.json) if you properly mark untrusted workspace folders as "Restricted". However, CVE-2025-65717 and CVE-2025-65716 are not mitigated by Workspace Trust because they exploit the extension's running state or rendering behavior, not workspace configuration.

How do I know if I've been exploited?

For CVE-2025-65717, look for unexpected outbound HTTP connections from your browser to unknown external domains. Check your browser developer tools (Network tab) while Live Server is running. For the others, review recently executed code via Code Runner's output pane or terminal history. Also check for unusual file access in any recent project work.

Should I report this to my employer's security team?

Yes, absolutely — especially if you use these extensions in a work environment with access to production systems, credentials, or sensitive code. Enterprise security teams need to assess exposure across their developer population. Point them to the OX Security research and this article.

The Bottom Line

Three unpatched CVEs in extensions used by tens of millions of developers. All three are practical, realistic attack vectors that don't require exotic conditions to exploit. The threat model — developer opens malicious link, opens crafted file, opens compromised repo — describes a normal workday.

The security research community has known for years that IDE extensions are an underexamined attack surface. These disclosures make it concrete. The response from three of the four extension maintainers — silence — illustrates the systemic problem with relying on volunteer-maintained tools for security-sensitive workflows.

For now: audit your extensions, disable what you don't need, enable VS Code Workspace Trust, and treat that localhost server as the network service it actually is.

Related Articles