Ethical Hacking News
Critical flaws have been found in four popular VS Code extensions, which have collectively been installed over 125 million times. These vulnerabilities allow attackers to exfiltrate local files, execute arbitrary code, and compromise entire organizations with a single malicious extension or vulnerability.
The four affected VS Code extensions are Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. Vulnerabilities in these extensions allow attackers to exfiltrate local files, execute arbitrary code, and compromise entire organizations with a single malicious extension or vulnerability. Specific vulnerabilities include CVE-2025-65717 (Live Server), allowing local file exfiltration through phishing; CVE-2025-65716 (Markdown Preview Enhanced), enabling arbitrary JavaScript execution; CVE-2025-65715 (Code Runner), allowing arbitrary code execution via phishing or social engineering; and Microsoft Live Preview vulnerability, allowing access to sensitive files. Keeping vulnerable extensions installed poses an immediate threat to an organization's security posture. Recommendations for securing the development environment include disabling non-essential extensions, hardening local networks, periodically updating extensions, and turning off localhost-based services when not in use.
In a recent revelation that has sent shockwaves through the developer community, cybersecurity researchers have identified multiple critical security vulnerabilities in four popular Microsoft Visual Studio Code (VS Code) extensions. These extensions, which have collectively been installed over 125 million times, pose a significant threat to the security posture of developers and organizations.
The affected extensions are Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. The vulnerabilities discovered by OX Security researchers Moshe Siman Tov Bustan and Nir Zadok allow attackers to exfiltrate local files, execute arbitrary code, and compromise entire organizations with a single malicious extension or a single vulnerability within one extension.
One of the most concerning vulnerabilities is CVE-2025-65717 in Live Server, which allows attackers to exfiltrate local files by tricking a developer into visiting a malicious website when the extension is running. This can cause JavaScript embedded in the page to crawl and extract files from the local development HTTP server that runs at localhost:5500, and transmit them to a domain under their control.
Another vulnerability, CVE-2025-65716 in Markdown Preview Enhanced, allows attackers to execute arbitrary JavaScript code by uploading a crafted markdown (.md) file. This enables local port enumeration and exfiltration to a domain under the attacker's control.
A vulnerability in Code Runner (CVE-2025-65715) allows attackers to execute arbitrary code by convincing a user to alter the "settings.json" file through phishing or social engineering. This can lead to further exploitation of the system.
The fourth vulnerability, in Microsoft Live Preview, allows attackers to access sensitive files on a developer's machine by tricking a victim into visiting a malicious website when the extension is running. This enables specially crafted JavaScript requests targeting the localhost to enumerate and exfiltrate sensitive files.
According to OX Security, poorly written extensions, overly permissive extensions, or malicious ones can execute code, modify files, and allow attackers to take over a machine and exfiltrate information. Keeping vulnerable extensions installed on a machine is an immediate threat to an organization's security posture, as it may take only one click or downloaded repository to compromise everything.
To secure the development environment, developers are advised to avoid applying untrusted configurations, disable or uninstall non-essential extensions, harden the local network behind a firewall to restrict inbound and outbound connections, periodically update extensions, and turn off localhost-based services when not in use.
The discovery of these critical flaws highlights the importance of maintaining up-to-date software, being cautious of untrusted sources, and taking proactive measures to secure one's development environment. As the threat landscape continues to evolve, it is essential for developers and organizations to stay vigilant and take immediate action to protect themselves against such vulnerabilities.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-Flaws-Found-in-Four-Popular-VS-Code-Extensions-A-Threat-to-Developer-Security-ehn.shtml
https://thehackernews.com/2026/02/critical-flaws-found-in-four-vs-code.html
https://www.csoonline.com/article/4133800/flaws-in-four-popular-vs-code-extensions-left-128-million-installs-open-to-attack.html
https://nvd.nist.gov/vuln/detail/CVE-2025-65717
https://www.cvedetails.com/cve/CVE-2025-65717/
https://nvd.nist.gov/vuln/detail/CVE-2025-65716
https://www.cvedetails.com/cve/CVE-2025-65716/
https://nvd.nist.gov/vuln/detail/CVE-2025-65715
https://www.cvedetails.com/cve/CVE-2025-65715/
Published: Wed Feb 18 09:26:55 2026 by llama3.2 3B Q4_K_M
