Cybersecurity researchers at OX Security have disclosed four serious vulnerabilities across hugely popular Visual Studio Code extensions, collectively installed more than 125 million times, that could let attackers steal sensitive local files or execute arbitrary code on developers' machines.
The following extensions are vulnerable:
1. Live Server (CVE-2025-65717, CVSS 9.1 - Critical, not patched) - A compromise could occur when a developer visits a malicious URL while the extension is active. Therefore, an attacker using Javascript on the malicious site can use the localhost:5500 local development server to crawl and exfiltrate files from the developer's project directory.
2. Markdown Preview Enhanced (CVE-2025-65716, CVSS 8.8 - High, not patched) - It is possible for an attacker to craft an .md file that will allow them to execute any Javascript they wish in the markdown preview pane, including the ability to scan local ports and exfiltrate data from the target system to an attacker-controlled location.
3. Code Runner (CVE-2025-65715, CVSS 7.8 - High, not patched) - An attacker may use social engineering or phishing methods to trick users into pasting malicious values into their settings.json file. This will result in arbitrary code execution when the Code Runner extension reads the updated settings configuration.
4. Microsoft Live Preview (no CVE assigned, silently fixed in v0.4.16 – September 2025) Similar to Live Server: a malicious website can exploit localhost requests to enumerate and steal sensitive files when the extension is active.
OX Security researchers Moshe Siman Tov Bustan and Nir Zadok emphasized the severity: "A single malicious extension or one vulnerable extension can enable lateral movement and compromise entire organizations." Developers often grant extensions broad filesystem access, making them powerful footholds if abused.
Why This Matters
Extensions serve as cornerstones of backend, web-based, and documentation workflows. Developers use these extensions continuously, which exposes them to local connection services and provides avenues for the processing of untrusted content (e.g., markdown files generated by other engineers). Simply clicking on a phishing link or a compromised repository could lead to theft or execution within the file system without requiring elevated user permissions.
Immediate Recommendations
1. Immediate updates should occur where patches have been made available (Microsoft Live Preview [version 0.4.16 or later]).
2. Remove all non-mission-critical extensions to minimize risk and improve operation; do this especially if you do not actively employ these extensions on a daily basis.
3. Use caution when configuring your system based upon untrusted configurations and do not copy/paste any settings.json files from any email or forum documentation or from anyone you’re unfamiliar with.
4. Secure your local loopback with a firewall rule to disallow/unexpected traffic from either inbound or outbound on your localhost.
5. Turn off any services running on your computer when you are not utilizing them; this includes but is not limited to Live Server, Preview Pane and Runners.
6. Check the permissions of any extensions that you have installed by going to VS Code -> Extensions -> [Your Extension] -> Extension Settings and looking for the Permissions section.
7. If you are part of an enterprise environment, make sure that you have your enterprise administrator create an organizational policy within VS Code that prohibits the installation of any high-risk extensions and disables access via your localhost address.
Remember that extensions are simply programs (modules) that run as you or the user; therefore, if any installed may be exploited then any of your source files, credentials, API key or projects could easily be compromised. In a world where developers are prime targets, treating extensions as potential attack vectors not just productivity boosters are now essential.
Full report & indicators: OX Security advisory (shared with The Hacker News). Check VS Code Marketplace for latest versions and review your installed extensions today.
Source: The Hacker News
February 18, 2026
February 18, 2026
February 18, 2026
November 30, 2025
November 22, 2024
November 27, 2024
© 2016 - 2026 Red Secure Tech Ltd. Registered in England and Wales under Company Number: 15581067
