Vulnerabilities with excessive to vital severity scores affecting well-liked Visible Studio Code (VSCode) extensions collectively downloaded greater than 128 million occasions could possibly be exploited to steal native information and execute code remotely.
The security points influence Reside Server (CVE-2025-65715), Code Runner (CVE-2025-65716), Markdown Preview Enhanced (CVE-2025-65717), and Microsoft Reside Preview (no identifier assigned).
Researchers at software security firm Ox Safety found the issues and tried to reveal them since June 2025. Nonetheless, the researchers say that no maintainer responded.
Distant code execution in IDE
VSCode extensions are add-ons that increase the performance of Microsoft’s built-in growth surroundings (IDE). They’ll add language help, debugging instruments, themes, and different performance or customization choices.
They run with important entry to the native growth surroundings, together with information, terminals, and community sources.
Ox Safety revealed experiences for every of the found flaws and warned that conserving the weak extensions may expose the company surroundings to lateral motion, knowledge exfiltration, and system takeover.
An attacker exploiting the CVE-2025-65717 vital vulnerability within the Reside Server extension (over 72 million downloads on VSCode) can steal native information by directing the goal to a malicious webpage.
The CVE-2025-65715 vulnerability within the Code Runner VSCode extension, with 37 million downloads, permits distant code execution by altering the extension’s configuration file. This could possibly be achieved by tricking the goal into pasting or making use of a maliciously configuration snippet within the world settings.json file.
Rated with a high-severity rating of 8.8, CVE-2025-65716 impacts the Markdown Preview Enhanced (8.5 million downloads) and could be leveraged to execute JavaScript by way of maliciously crafted Markdown file.
Ox Safety researchers found a one-click XSS vulnerability in variations of Microsoft Reside Preview earlier than 0.4.16. It may be exploited to entry delicate information on a developer’s machine. The extension has greater than 11 million downloads on VSCode.
The issues within the extensions additionally apply to Cursor and Windsurf, that are AI-powered VSCode-compatible various IDEs.
Ox Safety’s report highlights that the dangers related to a menace actor leveraging the problems embody pivoting on the community and stealing delicate particulars like API keys and configuration information.
Builders are suggested to keep away from operating localhost servers until essential, opening untrusted HTML whereas they’re operating, and making use of untrusted configurations or pasting snippets into settings.json.
Additionally, it’s advisable to take away pointless extensions and solely set up these from respected publishers, whereas monitoring for surprising setting modifications.
Fashionable IT infrastructure strikes sooner than guide workflows can deal with.
On this new Tines information, find out how your group can scale back hidden guide delays, enhance reliability by automated response, and construct and scale clever workflows on high of instruments you already use.
