In the modern software development ecosystem, Integrated Development Environments (IDEs) such as Microsoft Visual Studio Code have become foundational to daily engineering workflows. To extend functionality and streamline development tasks, teams frequently rely on third-party extensions from the marketplace.
Recent security research, however, has identified critical vulnerabilities in multiple widely adopted VS Code extensions, introducing the risk of remote exploitation within developer environments. With a combined install base exceeding 125 million, these findings underscore a substantial supply chain exposure and reveal a significant security blind spot in contemporary development pipelines.
Vulnerability Details:
CVE-2025-65717 (CVSS 9.1) affects the Live Server extension. The flaw enables local file exfiltration by abusing the development HTTP server typically exposed at localhost:5500. An attacker can lure a developer into visiting a malicious webpage while the extension is active. Embedded JavaScript within the page can then interact with the local server, recursively enumerate accessible resources, and transmit sensitive files to an attacker-controlled domain. The issue remains unpatched.
CVE-2025-65716 (CVSS 8.8) impacts Markdown Preview Enhanced. By delivering a specially crafted Markdown (.md) file, an attacker can trigger arbitrary JavaScript execution within the preview context. Successful exploitation enables local port scanning, enumeration of internal services, and potential data exfiltration to external infrastructure. This vulnerability is also currently unpatched.
CVE-2025-65715 (CVSS 7.8) affects the Code Runner extension. The vulnerability can be exploited through social engineering techniques that persuade a developer to modify their settings.json configuration file. Once altered, the extension may execute attacker-controlled commands, resulting in arbitrary code execution. A patch has not yet been released.
Additionally, a separate vulnerability was identified in Microsoft Live Preview. The issue allowed attackers to access sensitive local files by tricking a developer into visiting a malicious website while the extension was running. Crafted JavaScript requests targeting localhost endpoints could enumerate and retrieve sensitive resources. Although no CVE identifier was assigned, Microsoft addressed the issue silently in version 0.4.16, released in September 2025.
Affected Extensions
- Live Server
- Code Runner
- Markdown Preview Enhanced
- Microsoft Live Preview
These extensions are widely used by developers for tasks ranging from running code snippets to previewing markdown files. The vulnerabilities, if exploited, could allow attackers to steal local files and execute code remotely.
Impact
The security implications of these vulnerabilities are significant. IDE extensions frequently operate with elevated privileges and extensive access to the host environment, effectively functioning as highly trusted components within a developer’s workflow. If compromised, such extensions can serve as a powerful attack vector.
A malicious or exploited extension may be capable of:
- Executing arbitrary commands on the host system
- Modifying or deleting local files
- Establishing persistent access or fully compromising the workstation
- Exfiltrating sensitive source code, credentials, or configuration data
Given the privileged position of developer machines within enterprise environments, successful exploitation can facilitate lateral movement across internal systems. This elevates the risk from individual workstation compromise to broader organizational or network-level breaches.
Tactics and Techniques include:
- TA0009 – Collection: Attackers use vulnerabilities like CVE-2025-65717 in Live Server to gather sensitive information from the developer’s local machine.
- TA0007 – Discovery: Techniques such as file and directory discovery are employed to locate valuable data.
- TA0002 – Execution: The vulnerability CVE-2025-65716 in Markdown Preview Enhanced enables the execution of malicious JavaScript code.
- TA0001 – Initial Access: Attackers may use phishing techniques to trick users into altering settings or visiting malicious sites, as seen with CVE-2025-65715 in Code Runner.
- T1059 – Command and Scripting Interpreter: Abusing JavaScript execution to perform malicious actions.
- T1566 – Phishing: Using phishing emails or social engineering to trick developers into making changes that enable code execution.
- T1566.001 – Spearphishing Attachment: Sending malicious attachments that, when opened, exploit the vulnerabilities.
- T1059.007 – JavaScript: Executing malicious JavaScript code through vulnerabilities in the extensions.
Mitigation & Recommendations
To secure the development environment, consider the following mitigation strategies:
- Avoid opening untrusted HTML files while localhost servers are running.
- Do not run unnecessary servers.
- Never paste or run unverified code snippets in global
settings.json. - Install only trusted extensions.
- Monitor and back up
settings.json. - Disable or remove non-essential extensions.
- Harden local networks with firewalls to restrict inbound and outbound connections.
- Promptly apply security updates to IDEs, extensions, operating systems, and development dependencies.
Instantly Fix Risks with Saner Patch Management
Saner patch management is a continuous, automated, and integrated software that instantly fixes risks exploited in the wild. The software supports major operating systems like Windows, Linux, and macOS, as well as 550+ third-party applications.
It also allows you to set up a safe testing area to test patches before deploying them in a primary production environment. Saner patch management additionally supports a patch rollback feature in case of patch failure or a system malfunction.
Experience the fastest and most accurate patching software here.