CYBERSECURITY researchers have disclosed four popular VS Code extensions with a combined user base of over 125 million installs harbouring multiple security flaws that could let attackers exfiltrate local files or run remote code. The vulnerable extensions are Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview.
CVEs identified include CVE-2025-65717 (CVSS 9.1) in Live Server, CVE-2025-65716 (CVSS 8.8) in Markdown Preview Enhanced, and CVE-2025-65715 (CVSS 7.8) in Code Runner, with all three described as remains unpatched, according to OX Security researchers Moshe Siman Tov Bustan and Nir Zadok. A vulnerability in Microsoft Live Preview is noted as having no CVE and was fixed silently in version 0.4.16 released in September 2025, per the report.
OX Security warned that a single malicious extension or a vulnerability in one extension could enable lateral movement and compromise an entire organisation, the researchers said in their findings shared with The Hacker News. To mitigate risk, users are advised to avoid untrusted configurations, disable or uninstall non-essential extensions, and keep extensions updated.