Serious vulnerabilities in four popular Visual Studio Code (VS Code) extensions, affecting over 128 million downloads.
These flaws, including three assigned CVEs CVE-2025-65715, CVE-2025-65716, and CVE-2025-65717, highlight IDEs as the weakest link in organizational supply chain security.
Developers often store sensitive data like API keys, business logic, database configs, and even customer info right in their IDE-accessible file systems.
Malicious VS Code Extensions Flaws
A single malicious or vulnerable extension can enable hackers to move laterally, exfiltrate data, or take over machines.
The issues also impact Cursor and Windsurf IDEs. One extension alone could compromise an entire organization with minimal effort. Here’s a breakdown of the findings:
| CVE ID | Extension Name | CVSS Score | Vulnerability | Affected Versions |
|---|---|---|---|---|
| CVE-2025-65717 | Live Server | 9.1 | Remote file exfiltration | All versions |
| CVE-2025-65715 | Code Runner | 7.8 | Remote code execution | All versions |
| CVE-2025-65716 | Markdown Preview Enhanced | 8.8 | JavaScript code execution leading to local port scanning with potential data exfiltration | All versions |
| No CVE | Microsoft Live Preview | N/A | One-click XSS to full IDE files exfiltration | Fixed in v0.4.16+ |
Extensions act like mini-admins in your IDE, with broad powers to run code, tweak files, and access your dev machine, said “Ox team”.
Potential Impact
- Lateral Movement Risk: Compromise of a development environment may enable attackers to pivot across connected internal networks, expanding their foothold and escalating access.
- Data Exfiltration and Host Compromise: If executed on a development machine running a local server, malicious activity could facilitate the theft of sensitive data and potentially lead to a full system takeover, significantly increasing the risk of credential leakage, source code exposure, and broader infrastructure compromise.
Avoid opening untrusted HTML with localhost servers active, skip running servers on localhost, and never paste unverified snippets into global settings.json.
Secure Your Development Environment
Disable or Remove Unnecessary Extensions: Minimize your attack surface by turning off or uninstalling development tools, plugins, and services that are not essential to your current tasks. Reducing unused components limits potential entry points for attackers.
Strengthen Your Local Network Security: Configure a robust local firewall to control inbound and outbound traffic for development-related services tightly. Ensure access is granted only when required and restricted to trusted hosts and networks.
Enforce a Strict Update Policy: Implement a disciplined patch management routine that prioritizes the prompt installation of security updates for operating systems, IDEs, extensions, and development dependencies to remediate known vulnerabilities without delay.
These 128 M download flaws expose dev machines as unprotected gateways to company assets.
The “install at your own risk” model is failing amid the rise of AI tools and reliance on extensions. Fixes include mandatory marketplace reviews, AI vulnerability scans, and enforced maintainer timelines with CVEs.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
