Security researchers have uncovered serious vulnerabilities in four widely used Visual Studio Code extensions, putting over 128 million downloads at risk. These flaws could allow attackers to steal files, execute malicious code remotely, or probe local networks. The findings highlight how even trusted tools can harbor hidden dangers, especially when they run with broad access to a developer’s system.

Major Vulnerabilities in High-Download Extensions

The security firm OX Security identified three critical vulnerabilities, assigned as CVE-2025-65717, CVE-2025-65715, and CVE-2025-65716. These issues were publicly disclosed on February 16 after vendors failed to respond to earlier notifications sent in June 2025. The vulnerabilities are found in popular extensions that collectively have millions of users, making the potential impact widespread.

One of the most concerning flaws was in Live Server, an extension downloaded over 70 million times. It creates a local web server to preview websites in real time. However, researchers found that the server could be accessed from any web page the developer visited, not just their own. This means an attacker could send a malicious link, and if the developer had Live Server running, their machine could be compromised without any further action.

Exploits in Common Developer Tools

The second flaw affected Code Runner, an extension with 37 million downloads. It allows users to run code snippets directly within VS Code. Researchers discovered that a crafted command in the extension’s configuration file could trigger the execution of arbitrary code. This could include reverse shells, giving attackers control over the victim’s machine. Such an attack could happen through phishing or by maliciously altering files via compromised extensions.

The third vulnerability was in Markdown Preview Enhanced, used by over 8.5 million developers. Opening a specially crafted Markdown file was enough to activate the flaw. Malicious scripts embedded in the file could gather information about open network ports on the victim’s device, potentially revealing details useful for further attacks.

Microsoft’s own Live Preview extension, with 11 million downloads, was also affected. Although Microsoft patched the issue quietly, it underscores how even trusted tools are not immune to security flaws. These vulnerabilities demonstrate that malicious actors can exploit legitimate extensions to gain access or cause harm without raising suspicion.

Implications and Response

The researchers emphasized that these flaws pose a significant threat because they reside in popular, legitimate extensions. Unlike maliciously added extensions in the marketplace, these are trusted tools installed by millions. An attacker only needs to find one vulnerable extension to move laterally across an organization’s systems, potentially compromising entire networks.

OX Security said they had contacted the vendors months ago but received little response. This highlights the importance of ongoing security reviews and quick patching for widely used developer tools. Developers are advised to keep their extensions updated and remain cautious about opening untrusted files or clicking suspicious links, especially when working with extensions that have broad system access.

Overall, the findings serve as a reminder of the hidden risks in the software developers rely on daily. Regularly updating extensions and staying informed about security advisories can help mitigate potential damage from these kinds of vulnerabilities. As the software landscape evolves, so must the vigilance of those who build and use these tools.

Inspired by

• https://www.infoworld.com/article/4133804/flaws-in-four-popular-vs-code-extensions-left-128-million-installs-open-to-attack-2.html

Sources

• csoonline.com
• ox.security