Security Vulnerabilities in Popular VS Code Extensions
Recent research has brought to light significant security vulnerabilities within four widely-used Visual Studio Code (VS Code) extensions, collectively installed over 125 million times. As developers increasingly rely on integrated development environments (IDEs) for their projects, these vulnerabilities prompt serious considerations regarding the security of the software development supply chain.
Overview of the Vulnerable Extensions
The identified extensions are:
- Live Server
- Code Runner
- Markdown Preview Enhanced
- Microsoft Live Preview
These extensions are integral to the VS Code ecosystem, assisting millions of programmers worldwide in creating and managing their code efficiently.
The Risks of IDE Extensions
The vulnerabilities discovered point to a nested threat—merely having a single compromised extension within an IDE can potentially lead to the breach of entire organizational networks. Researchers emphasized that development environments serve as “the weakest link” in organizational security. This is because sensitive information such as API keys, database configurations, and even customer data are stored locally and accessed through IDEs.
Identifying High-Risk Vulnerabilities
The vulnerabilities associated with these extensions are not merely theoretical. The research team confirmed that three of these vulnerabilities received Common Vulnerabilities and Exposures (CVE) identifiers, illustrating their severity and potential for exploitation:
-
CVE-2025-65717: Live Server
- CVSS Score: 9.1 (Critical)
- Impact: Remote file exfiltration
- Affected Versions: All versions
- Downloads: Over 72 million
-
CVE-2025-65715: Code Runner
- CVSS Score: 7.8 (High)
- Impact: Remote code execution
- Affected Versions: All versions
- Downloads: Over 37 million
-
CVE-2025-65716: Markdown Preview Enhanced
- CVSS Score: 8.8 (High)
- Impact: JavaScript code execution leading to local port scanning and potential data exfiltration
- Affected Versions: All versions
- Downloads: Over 8.5 million
Additionally, a vulnerability in Microsoft Live Preview, which has over 11 million downloads, was also identified but did not receive a CVE designation. This vulnerability can facilitate a “One-Click XSS to full IDE file exfiltration.”
Why IDE Extensions Are a Weak Link
IDE extensions typically operate with extensive permissions, enabling them to read and modify files, execute code, and interact with local servers. While such capabilities enhance productivity, they simultaneously increase the attack surface, giving attackers a route to execute arbitrary code, extract sensitive information, or seize control of a developer’s machine.
The implications of these vulnerabilities can be dire:
- Lateral Movement: An attacker who gains access to one developer’s machine may navigate through interconnected networks, amplifying the breach’s reach.
- Data Exfiltration: Sensitive information such as API keys and configuration files may be compromised.
- System Takeover: Attackers can gain broader control over development machines, which may impact customers and production environments.
Issues Surrounding Responsible Disclosure
The researchers sought to responsibly disclose their findings regarding the CVE vulnerabilities in late 2025. Unfortunately, they reported that none of the extension maintainers responded to their outreach efforts. This underscores a more systemic issue—namely, the absence of a clear accountability framework and oversight mechanism for extension security.
Mitigation Strategies for Developers and Organizations
To decrease the risks associated with vulnerable extensions, both developers and organizations can adopt proactive measures:
-
Avoid Opening Untrusted HTML Files: Do not open suspicious files while localhost servers are active.
-
Restrict Unnecessary Local Servers: Only operate local servers that are essential for your development work.
-
Monitor Configuration Changes: Regularly back up and monitor settings.json files to detect unauthorized adjustments.
-
Limit Installed Extensions: Use only trusted extensions and verify their source before installation.
-
Implement Network Protections: Fortify local environments with well-configured firewalls.
-
Schedule Regular Updates: Keep IDEs, extensions, operating systems, and other development dependencies updated to the latest, secure versions.
Conclusion
The vulnerabilities found within these popular VS Code extensions highlight a pressing need for increased awareness and scrutiny regarding the security of IDEs and their extensions. By implementing these strategies, developers and organizations can safeguard their systems from emerging threats while continuing to benefit from the power and flexibility that modern development environments provide.
