Cybersecurity researchers have identified multiple critical security vulnerabilities in four popular Visual Studio Code extensions: Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. These extensions have a combined installation base exceeding 125 million, making the impact potentially widespread. The vulnerabilities enable attackers to perform remote code execution and local file exfiltration by exploiting the extensions' interaction with localhost services and user configurations. Specifically, CVE-2025-65717 in Live Server (CVSS 9.1) allows attackers to exfiltrate local files by embedding malicious JavaScript in a webpage that crawls the local development HTTP server running on localhost:5500. CVE-2025-65716 in Markdown Preview Enhanced (CVSS 8.8) permits arbitrary JavaScript execution through crafted markdown files, enabling local port enumeration and data exfiltration. CVE-2025-65715 in Code Runner (CVSS 7.8) allows code execution if a user is socially engineered to modify the "settings.json" file. The Microsoft Live Preview vulnerability, now patched, similarly allowed file access via malicious websites targeting localhost. These vulnerabilities require minimal user interaction, such as visiting a malicious site or opening a crafted file, and do not require elevated privileges or complex exploitation techniques. The flaws stem from overly permissive extension permissions and insufficient validation of content and configurations. Attackers exploiting these vulnerabilities can gain access to sensitive source code, credentials, and internal network information, enabling lateral movement and full system compromise. The vulnerabilities remain unpatched except for Microsoft Live Preview, increasing the urgency for mitigation. The research highlights the risk posed by poorly written or malicious extensions in development environments, emphasizing the need for strict extension management and network hardening.

For European organizations, these vulnerabilities pose a significant threat to the confidentiality, integrity, and availability of development environments and sensitive intellectual property. Exploitation can lead to theft of source code, credentials, and proprietary data, potentially resulting in financial losses, reputational damage, and regulatory penalties under GDPR. The ability to execute arbitrary code remotely facilitates lateral movement within corporate networks, increasing the risk of widespread compromise and ransomware deployment. Development teams relying heavily on VS Code and these extensions may face disruption of software development lifecycles, delays in product releases, and increased incident response costs. Given the widespread adoption of VS Code in Europe’s technology, finance, and manufacturing sectors, the threat could impact critical infrastructure and innovation pipelines. The unpatched nature of most vulnerabilities means organizations remain exposed until mitigations or patches are applied. Additionally, the ease of exploitation via common developer workflows heightens the risk of targeted attacks and supply chain compromises within European software ecosystems.

1. Immediately audit all installed VS Code extensions and uninstall or disable Live Server, Code Runner, and Markdown Preview Enhanced until patches are available. 2. Restrict localhost network access by configuring host-based firewalls to block unauthorized inbound and outbound connections to localhost ports used by these extensions. 3. Educate developers to avoid visiting untrusted websites or opening unverified markdown files while vulnerable extensions are enabled. 4. Enforce strict policies against applying untrusted or unsolicited configuration changes, especially modifications to "settings.json" files. 5. Monitor network traffic for unusual outbound connections from developer machines to detect potential exfiltration attempts. 6. Regularly check for and apply updates to VS Code extensions, prioritizing security patches. 7. Implement endpoint detection and response (EDR) solutions capable of detecting suspicious script execution and lateral movement behaviors. 8. Consider isolating development environments using virtual machines or containers to limit the blast radius of potential exploitation. 9. Collaborate with internal security teams to conduct threat hunting focused on exploitation indicators related to these vulnerabilities. 10. Engage with Microsoft and extension maintainers to track patch releases and validate their effectiveness before re-enabling extensions.