Security researchers at Ox Security have disclosed multiple high‑severity vulnerabilities in popular Visual Studio Code (VSCode) extensions, collectively downloaded more than 128 million times. These flaws could allow attackers to steal local files, execute code remotely, and pivot into corporate environments.
Vulnerability Breakdown
- CVE‑2025‑65715 (Code Runner, 37M downloads) → Remote code execution via malicious configuration changes in
settings.json. - CVE‑2025‑65716 (Markdown Preview Enhanced, 8.5M downloads) → JavaScript execution through crafted Markdown files.
- CVE‑2025‑65717 (Markdown Preview Enhanced) → Critical flaw enabling file theft via malicious webpages.
- Microsoft Live Preview (11M downloads, pre‑0.4.16) → One‑click XSS vulnerability exposing sensitive files.
These flaws also affect Cursor and Windsurf, AI‑powered VSCode‑compatible IDEs.
Why It Matters
VSCode extensions run with deep access to local environments—files, terminals, and network resources. Exploiting these flaws could allow attackers to:
- Steal API keys, cloud credentials, and configuration files.
- Move laterally across networks.
- Execute arbitrary code and compromise developer systems.
Given the scale of downloads, the attack surface is massive, making developers and organizations prime targets.
Defensive Recommendations
- Audit extensions: Remove unnecessary or untrusted add‑ons.
- Avoid localhost servers unless strictly necessary.
- Don’t open untrusted HTML while running vulnerable extensions.
- Verify publishers: Only install extensions from reputable sources.
- Monitor settings.json for unexpected changes.
Final Thought
This incident highlights a critical truth: developer tools are now high‑value targets. Extensions designed to boost productivity can just as easily become vectors for compromise. For organizations, the lesson is clear—security reviews must extend to the developer ecosystem itself.
Leave a Reply