Critical and high-severity vulnerabilities in popular VSCode extensions could be exploited to steal local files and enable remote code execution across environments with more than 128 million combined downloads. Ox Security disclosed the issues after maintainers failed to respond and warned developers to remove unnecessary extensions, avoid opening untrusted HTML or running localhost servers, and monitor for unexpected configuration changes. #LiveServer #CodeRunner
Keypoints
- High- and critical-severity flaws affect Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview, totaling 128M+ downloads.
- CVE-2025-65717 in Live Server can be abused to steal local files by directing victims to a malicious webpage.
- CVE-2025-65715 in Code Runner allows remote code execution by tricking users into applying malicious snippets to settings.json.
- CVE-2025-65716 in Markdown Preview Enhanced enables JavaScript execution via crafted Markdown, and Microsoft Live Preview before 0.4.16 has a one-click XSS to access files.
- Ox Security warns these flaws enable lateral movement, API key/config theft, and system takeover; developers should remove unneeded extensions, avoid untrusted HTML/localhost servers, and monitor settings.