Researchers uncovered critical vulnerabilities in four widely used Visual Studio Code extensions — Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview — that together have been installed over 128 million times. OX Security warned these flaws could enable remote code execution, file exfiltration, and lateral movement from developer machines into enterprise networks, risking exposure of API keys, credentials, and proprietary code. #LiveServer #CodeRunner
Keypoints
- Four popular VS Code extensions with more than 128 million combined installs contain severe vulnerabilities.
- Three flaws received CVEs (CVE-2025-65717, CVE-2025-65715, CVE-2025-65716) with high CVSS scores enabling remote exploitation.
- Microsoft Live Preview had a one-click XSS to full IDE file exfiltration issue fixed in version 0.4.16 but no CVE was assigned.
- Exploited extensions can allow remote code execution, data exfiltration, and lateral movement into corporate networks.
- Mitigations include installing only trusted extensions, avoiding untrusted HTML and configs, backing up settings.json, hardening local networks, and keeping IDEs and extensions updated.
Read More: https://thecyberexpress.com/vs-code-extensions-supply-chain-security-flaws/