Vulnerabilities with excessive to important severity scores affecting in style Visible Studio Code (VSCode) extensions collectively downloaded greater than 128 million instances may very well be exploited to steal native recordsdata and execute code remotely.
The safety points impression Reside Server (CVE-2025-65715), Code Runner (CVE-2025-65716), Markdown Preview Enhanced (CVE-2025-65717), and Microsoft Reside Preview (no identifier assigned).
Researchers at utility safety firm Ox Safety found the issues and tried to reveal them since June 2025. Nonetheless, the researchers say that no maintainer responded.
Distant code execution in IDE
VSCode extensions are add-ons that increase the performance of Microsoft’s built-in improvement atmosphere (IDE). They’ll add language assist, debugging instruments, themes, and different performance or customization choices.
They run with important entry to the native improvement atmosphere, together with recordsdata, terminals, and community assets.
Ox Safety printed studies for every of the found flaws and warned that retaining the susceptible extensions may expose the company atmosphere to lateral motion, knowledge exfiltration, and system takeover.
An attacker exploiting the CVE-2025-65717 important vulnerability within the Reside Server extension (over 72 million downloads on VSCode) can steal native recordsdata by directing the goal to a malicious webpage.
The CVE-2025-65715 vulnerability within the Code Runner VSCode extension, with 37 million downloads, permits distant code execution by altering the extension’s configuration file. This may very well be achieved via tricking the goal into pasting or making use of a maliciously configuration snippet within the world settings.json file.
Rated with a high-severity rating of 8.8, CVE-2025-65716 impacts the Markdown Preview Enhanced (8.5 million downloads) and might be leveraged to execute JavaScript by way of maliciously crafted Markdown file.
Ox Safety researchers found a one-click XSS vulnerability in variations of Microsoft Reside Preview earlier than 0.4.16. It may be exploited to entry delicate recordsdata on a developer’s machine. The extension has greater than 11 million downloads on VSCode.
The issues within the extensions additionally apply to Cursor and Windsurf, that are AI-powered VSCode-compatible different IDEs.
Ox Safety’s report highlights that the dangers related to a risk actor leveraging the problems embrace pivoting on the community and stealing delicate particulars like API keys and configuration recordsdata.
Builders are suggested to keep away from operating localhost servers except essential, opening untrusted HTML whereas they’re operating, and making use of untrusted configurations or pasting snippets into settings.json.
Additionally, it’s advisable to take away pointless extensions and solely set up these from respected publishers, whereas monitoring for surprising setting adjustments.
Fashionable IT infrastructure strikes quicker than handbook workflows can deal with.
On this new Tines information, find out how your staff can cut back hidden handbook delays, enhance reliability via automated response, and construct and scale clever workflows on prime of instruments you already use.
