Supply chain, DevOps, Vulnerability Management

Critical VS Code extension vulnerabilities could lead to code execution and data theft

(Credit: MCGORIE – stock.adobe.com)

As reported by Bleeping Computer, several popular Visual Studio Code extensions, collectively downloaded over 128 million times, contain high to critical severity vulnerabilities that could allow attackers to steal local files and execute code remotely.

The security flaws affect extensions such as Live Server (CVE-2025-65715), Code Runner (CVE-2025-65716), Markdown Preview Enhanced (CVE-2025-65717), and Microsoft Live Preview. Discovered by Ox Security researchers in June 2025, these vulnerabilities allow for actions like stealing local files by directing users to malicious webpages, remote code execution through manipulated configuration files, and cross-site scripting (XSS) attacks via crafted Markdown files.

These issues extend to VS Code-compatible IDEs like Cursor and Windsurf. Attackers could exploit these to pivot within a network and exfiltrate sensitive data, including API keys and configuration files. Developers are advised to exercise caution with untrusted configurations and files, remove unnecessary extensions, and only install software from reputable sources.

Source: Bleeping Computer

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds