Security Alert: Vulnerable extensions of VS Code can steal files and run remote code on millions of equipment

Cybersecurity researchers have put a serious warning on the table for millions of developers: several popular extensions of Visual Studio Code contain failures that, properly exploited, allow to steal local files and run code remotely. These tools - including Live Server, Code Runner, Markdown Preview Enhanced and Microsoft Live Preview - add up to 125 million facilities, which makes vulnerability a far-reaching risk for entire teams and organizations. You can read the full report of the discoverers on the OX Security blog Here..

The attack vector described by the researchers takes advantage of common features in many extensions: local servers that expose resources in localhost, the possibility of running JavaScript in preview or reading and modifying editor settings. In the case of Live Server, for example, the extension by default raises a development server in a local port. An attacker can induce the victim to visit a malicious website and, while the extension is active, that embedded code makes requests to the local server to recover files and send them to a domain controlled by the attacker. OX Security documents this finding in more detail in its analysis of CVE-2025-65717 Here..

Other problems detected follow similar patterns but with technical variants. In Markdown Preview Enhanced a failure has been identified that allows arbitrary execution of JavaScript when a specially manipulated .md file is opened; this can facilitate the listing of local ports and the extraction of information to external domains (see OX Security report on CVE-2025-65716). Code Runner, on the other hand, has a weakness that allows you to run code if an attacker can deceive the developer to modify his configuration file (settings.json), a classic social engineering technique documented as CVE-2025-65715. All these vulnerabilities have high CVSS scores that reflect their gravity.

Microsoft Live Preview was also pointed out for allowing a malicious script aimed at localhost to access sensitive files when the extension was running. Unlike the other vulnerabilities, Microsoft published a correction - in an unnoticeable way in the change log - in version 0.4.16 of the project; the evidence and details of the arrangement appear in the official repository changelog Here., while the technical analysis of OX Security can be consulted Here..

Why are such failures particularly dangerous in a development environment? Because programming environments often contain keys, certificates, passwords in configuration files and repositories with access to business infrastructure. A single innocent change - open a file, visit a website or apply a recommended configuration on a project - may be enough to activate the operating chain. The researchers have insisted that with a single vulnerable extension would be sufficient to move laterally and compromise an organization, and warn about poorly designed extensions or with too wide permissions that can run code and modify files without strict control.

In the face of this scenario, practical and realistic measures should be taken to reduce risk. It is recommended not to apply configurations or extensions from unverified sources, to uninstall what is not used and to keep the extensions up to date to receive appropriate patches. It is also prudent to isolate local services behind firewalls that restrict incoming and outgoing connections, and to disable localhost servers when they are not necessary. Microsoft offers general information on the management and use of extensions in its website documentation of Visual Studio Code, which can be found at your official guide.

In addition to these measures, standard digital hygiene practices remain essential: suspect unknown repositories and files, avoid running configuration steps received by unverified channels and teach teams to recognize social engineering attempts to alter local configuration files. Organizations with mature security policies should consider additional controls, such as the revision of permitted extensions, the use of isolated working environments (sandboxing) and the monitoring of unusual traffic to external domains from development machines.

The spread of these vulnerabilities highlights a wider weakness: extensions enrich code editors, but also expand the attack surface. The work of security companies like OX Security helps to visualize these scenarios and to press for corrections. If you want to review the technical analyses of each failure, OX Security has posted specific entries for Live Server, Markdown Preview Enhanced and Code Runner on your blog: Live Server, Markdown Preview Enhanced and Code Runner in addition to the general analysis Here..

In short, it is not a question of demonizing the extensions, but of treating them with the same caution as any software that has access to sensitive data. Review, restrict and update are simple actions that can make the difference between a safe development environment and a gap with serious consequences. Keep an eye on the communications of the maintainers of the extensions you use and apply patches as soon as they are available.