it

Critical Flaws Found in Four VS Code Extensions with Over 125 Million Installs

Published: (February 18, 2026 at 08:16 AM EST)
2 min read
Source: The Hacker News

Source: The Hacker News

VS Code malware

Cybersecurity researchers have disclosed multiple security vulnerabilities in four popular Microsoft Visual Studio Code (VS Code) extensions that, if successfully exploited, could allow threat actors to steal local files and execute code remotely.

The extensions—Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview—have collectively been installed more than 125 million times.

“Our research demonstrates that a hacker needs only one malicious extension, or a single vulnerability within one extension, to perform lateral movement and compromise entire organizations.” – OX Security researchers Moshe Siman Tov Bustan and Nir Zadok, in a report shared with The Hacker News.

Vulnerabilities

  • CVE‑2025‑65717 (CVSS 9.1) – A flaw in Live Server that lets an attacker exfiltrate local files. By tricking a developer into visiting a malicious website while the extension is running, JavaScript on the page can crawl the local development HTTP server (default localhost:5500) and transmit files to a domain under the attacker’s control. Remains unpatched.

  • CVE‑2025‑65716 (CVSS 8.8) – A vulnerability in Markdown Preview Enhanced that enables arbitrary JavaScript execution when a crafted Markdown (.md) file is uploaded. This allows local port enumeration and data exfiltration to an attacker‑controlled domain. Remains unpatched.

  • CVE‑2025‑65715 (CVSS 7.8) – A flaw in Code Runner that permits arbitrary code execution if a user is persuaded (e.g., via phishing) to modify the settings.json file. Remains unpatched.

  • Microsoft Live Preview – An XSS‑type vulnerability that lets attackers access sensitive files on a developer’s machine by luring the victim to a malicious website while the extension is active. The crafted JavaScript can target localhost to enumerate and exfiltrate files. No CVE was assigned; the issue was silently fixed by Microsoft in version 0.4.16 (released September 2025).
    Details

Mitigation Recommendations

  • Avoid applying untrusted configurations and be cautious of any prompts to modify VS Code settings.
  • Disable or uninstall non‑essential extensions, especially those that are not actively maintained.
  • Harden the local network by restricting inbound and outbound connections with a firewall, limiting exposure of localhost services.
  • Keep extensions up to date; regularly check for security patches and apply them promptly.
  • Turn off localhost‑based services (e.g., development servers) when they are not in use.

“Poorly written extensions, overly permissive extensions, or malicious ones can execute code, modify files, and allow attackers to take over a machine and exfiltrate information.” – OX Security

0 views
#it #security #cybersecurity
View source
Share:
Back to Blog

Related posts

Read more »