The Dev Environment Trap: 128 Million Users at Risk as Top VS Code Extensions Unmask Critical Flaws

Ubiquitous extensions for Visual Studio Code, boasting a cumulative download count exceeding 128 million, have been unmasked as susceptible to exploits involving local file exfiltration and remote code execution. These security lapses were identified within several prominent add-ons relied upon daily by the global developer community.

The vulnerabilities implicate the Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview extensions. They have been formally cataloged as CVE-2025-65715, CVE-2025-65716, and CVE-2025-65717, with an additional flaw awaiting designation. These were unearthed by Ox Security, an application security firm; researchers noted that their attempts to coordinate with the extension maintainers since June 2025 met with silence.

While extensions profoundly augment the development environment by integrating language support and debugging utilities, they simultaneously acquire expansive privileges over the host workspace, including the file system, terminal, and network resources. Any inherent defect thus serves as a conduit for adversaries to compromise both the developer’s local machine and the broader corporate infrastructure.

The most critical flaw, designated CVE-2025-65717, resides within the preview mechanism of the Live Server extension—a tool utilized by over 72 million users. An aggressor could entice a victim into accessing a meticulously crafted webpage, thereby facilitating unauthorized access to local system files.

Furthermore, CVE-2025-65715 within Code Runner—installed by over 37 million individuals—permits arbitrary remote code execution. To achieve this, an adversary must persuade a user to integrate a deleterious configuration snippet into their settings.json file. Once the configuration is altered, the extension begins executing commands dictated by the attacker.

Another significant issue, CVE-2025-65716, was detected in Markdown Preview Enhanced, which serves approximately 8.5 million installations. A strategically designed Markdown file can trigger the execution of malicious JavaScript during the document preview process. Additionally, a one-click XSS vulnerability was identified in Microsoft Live Preview (versions prior to 0.4.16), enabling the unauthorized reading of sensitive files on the developer’s workstation. This extension has been adopted by over 11 million users.

These systemic failures extend beyond Visual Studio Code, impacting compatible IDEs such as Cursor and Windsurf that utilize the same extension ecosystem. Ox Security warns that such vulnerabilities allow threat actors to establish a foothold within internal networks, facilitate lateral movement, and exfiltrate critical assets, including API keys and proprietary configuration files.

Developers are urged to refrain from operating local web servers unnecessarily, to avoid opening unverified HTML files during active sessions, and to eschew foreign configuration snippets. It is recommended to prune non-essential extensions and strictly source add-ons from reputable developers while remaining vigilant for unexplained alterations in environment parameters.

Related Posts:

• Self-Hosting No Longer Free: GitHub Introduces New $0.002/Min Platform Fee for Actions
• The Developer Win: GitHub Postpones Self-Hosted Runner Fee After Massive Community Outcry
• GitLab Patches High Runner Hijacking Flaw (CVE-2025-11702) and Multiple DoS Vulnerabilities
• Malicious VS Code Extension Masquerades as Zoom to Steal Chrome Cookies