CVE-2025-65717: Critical Vulnerability in VS Code’s Live Server Extension Puts 72 Million Developers at Risk, No Patch

A wildly popular tool designed to make web development easier is currently harboring a massive security blind spot. Researchers at OX Security have unearthed a severe flaw in the Live Server extension for Visual Studio Code, exposing tens of millions of developers to remote code theft and credential harvesting.

Carrying a CVSS score of 9.1, the vulnerability, tracked as CVE-2025-65717, transforms a developer’s own local environment into an open vault for cybercriminals.

To understand the threat, one must understand the tool. As the report explains, “Live Server is a Visual Studio Code extension that starts a local development HTTP server and automatically reloads the browser when files in the workspace change, supporting both static and dynamic pages”. It allows developers to preview their changes in real time without manually refreshing the browser.

Because this server operates locally, many developers assume their workspace is safely isolated from the public internet. However, OX Security found a way to bridge that gap.

The researchers “discovered a vulnerability in the Live Server extension for VS Code that allows a remote, unauthenticated attacker to exfiltrate files from a developer’s local machine”. The attack vector is frighteningly simple: “Attackers only need to send a malicious link to the victim while Live Server is running in the background”.

Once the developer clicks the malicious link, a hidden JavaScript payload executes in their browser. The OX Security report provides technical snippets demonstrating how this payload systematically pillages the local server.

The script initiates a “recursive crawling function that fetches a page, exfiltrates its content, and follows Links if it’s an HTML page”. It parses the HTML document, extracts all anchor tags, and then silently sends the fetched data to an attacker-controlled interactsh server.

The impact of this automated crawling is devastating for intellectual property and security. The report outlines two primary attack scenarios:

• Stealing sensitive source code: “Crawling localhost can expose proprietary code, scripts, or configuration files”.
• Exfiltrating credentials: Attackers can siphon “Any files, including environment variables inside the .env files, containing API keys, passwords, or .env…”.

Despite the extension boasting over 72 million installs, the developers behind Live Server have seemingly gone dark.

“The issue was disclosed in August 2025 with no maintainer response to date,” the OX Security report warns.

Until a patch is released, developers utilizing the Live Server extension are urged to be hyper-vigilant about the links they click while their local environments are actively running, as a single malicious webpage could silently drain their entire workspace.

Related Posts:

• Malicious VS Code Extension Masquerades as Zoom to Steal Chrome Cookies
• A Dangerous Loophole in the VS Code Marketplace Is Allowing Malicious Extensions
• Google Patches Workspace Authentication Flaw, Thwarting Account Takeover Attempts