Security researchers have identified critical vulnerabilities in four widely used Visual Studio Code (VSCode) extensions – Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview – potentially impacting over 128 million users, according to a report published today by application security firm Ox Security.
The flaws, discovered beginning in June 2025, range in severity from high to critical and could allow attackers to steal local files and execute code remotely on a developer’s machine. Ox Security researchers reported difficulty in contacting the maintainers of the affected extensions, stating that their attempts to disclose the vulnerabilities went unanswered.
The most critical vulnerability, CVE-2025-65717, resides in the Live Server extension, which boasts over 72 million downloads. Exploitation of this flaw allows attackers to steal local files by tricking users into visiting a malicious webpage. The Code Runner extension, with 37 million downloads, is vulnerable to remote code execution (CVE-2025-65715) through manipulation of its configuration file. Attackers could achieve this by persuading a user to paste or apply a malicious configuration snippet into the global settings.json file, according to Ox Security’s analysis.
Markdown Preview Enhanced, with 8.5 million downloads, is affected by CVE-2025-65716, a high-severity vulnerability that enables the execution of JavaScript through maliciously crafted Markdown files. A separate vulnerability was found in Microsoft Live Preview, with over 11 million downloads, allowing access to sensitive files via a one-click XSS exploit in versions prior to 0.4.16.
The risks extend beyond VSCode itself, as the vulnerabilities also apply to alternative, VSCode-compatible IDEs such as Cursor and Windsurf. According to Ox Security, successful exploitation of these vulnerabilities could allow attackers to pivot within a network and steal sensitive information like API keys and configuration files.
Developers are advised to take several precautions to mitigate the risk. These include avoiding the unnecessary use of localhost servers, exercising caution when opening untrusted HTML files although a server is running, and refraining from applying untrusted configurations or pasting snippets into the settings.json file. Regularly removing unused extensions and installing only those from reputable publishers, along with monitoring for unexpected setting changes, are also recommended.
