Cybersecurity researchers have disclosed a number of security vulnerabilities in 4 well-liked Microsoft Visible Studio Code (VS Code) extensions that, if efficiently exploited, may enable menace actors to steal native recordsdata and execute code remotely.
The extensions, which have been collectively put in greater than 125 million occasions, are Dwell Server, Code Runner, Markdown Preview Enhanced, and Microsoft Dwell Preview.
“Our analysis demonstrates {that a} hacker wants just one malicious extension, or a single vulnerability inside one extension, to carry out lateral motion and compromise whole organizations,” OX Safety researchers Moshe Siman Tov Bustan and Nir Zadok mentioned in a report shared with The Hacker Information.
Particulars of the vulnerabilities are as follows –
- CVE-2025-65717 (CVSS rating: 9.1) – A vulnerability in Dwell Server that enables attackers to exfiltrate native recordsdata, tricking a developer into visiting a malicious web site when the extension is working, inflicting JavaScript embedded within the web page to crawl and extract recordsdata from the native growth HTTP server that runs at localhost:5500, and transmit them to a website below their management. (Stays unpatched)
- CVE-2025-65716 (CVSS rating: 8.8) – A vulnerability in Markdown Preview Enhanced that enables attackers to execute arbitrary JavaScript code by importing a crafted markdown (.md) file, permitting native port enumeration and exfiltration to a website below their management. (Stays unpatched)
- CVE-2025-65715 (CVSS rating: 7.8) – A vulnerability in Code Runner that enables attackers to execute arbitrary code by convincing a person to change the “settings.json” file by way of phishing or social engineering. (Stays unpatched)
- A vulnerability in Microsoft Dwell Preview permits attackers to entry delicate recordsdata on a developer’s machine by tricking a sufferer into visiting a malicious web site when the extension is working, which then permits specifically crafted JavaScript requests focusing on the localhost to enumerate and exfiltrate delicate recordsdata. (No CVE, Fastened silently by Microsoft in model 0.4.16 launched in September 2025)
To safe the event surroundings, it is important to keep away from making use of untrusted configurations, disable or uninstall non-essential extensions, harden the native community behind a firewall to limit inbound and outbound connections, periodically replace extensions, and switch off localhost-based companies when not in use.
“Poorly written extensions, overly permissive extensions, or malicious ones can execute code, modify recordsdata, and permit attackers to take over a machine and exfiltrate data,” OX Safety mentioned. “Maintaining susceptible extensions put in on a machine is an instantaneous menace to a company’s security posture: it could take just one click on, or a downloaded repository, to compromise every little thing.”
