As reported by Bleeping Computer, several popular Visual Studio Code extensions, collectively downloaded over 128 million times, contain high to critical severity vulnerabilities that could allow attackers to steal local files and execute code remotely.The security flaws affect extensions such as Live Server (CVE-2025-65715), Code Runner (CVE-2025-65716), Markdown Preview Enhanced (CVE-2025-65717), and Microsoft Live Preview. Discovered by Ox Security researchers in June 2025, these vulnerabilities allow for actions like stealing local files by directing users to malicious webpages, remote code execution through manipulated configuration files, and cross-site scripting (XSS) attacks via crafted Markdown files.These issues extend to VS Code-compatible IDEs like Cursor and Windsurf. Attackers could exploit these to pivot within a network and exfiltrate sensitive data, including API keys and configuration files. Developers are advised to exercise caution with untrusted configurations and files, remove unnecessary extensions, and only install software from reputable sources.Source: Bleeping Computer
Supply chain, DevOps, Vulnerability Management
Critical VS Code extension vulnerabilities could lead to code execution and data theft

(Credit: MCGORIE – stock.adobe.com)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds



