OX Security researchers warn that four widely used VS Code extensions—Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview—have flaws that could let attackers steal files or run code remotely, with the extensions collectively downloaded over 128 million times.
The flaws include CVE-2025-65717 (Live Server) permitting remote file exfiltration, CVE-2025-65715 (Code Runner) enabling remote code execution, and CVE-2025-65716 (Markdown Preview Enhanced) allowing JavaScript code execution leading to local port scanning and potential data exfiltration; Microsoft Live Preview is noted as having over 11 million downloads and an unassigned CVE, described as One-Click XSS to full IDE files exfiltration.
The report, as cited, lists a CVSS of 9.1 for Live Server, 7.8 for Code Runner, and 8.8 for Markdown Preview Enhanced, all of which underline how a single malicious or compromised extension can facilitate lateral movement within organisations. OX Security adds that the vulnerabilities were disclosed in July–August 2025 but received no response from maintainers, highlighting a broader issue about extension security accountability.
Researchers suggest measures such as mandatory security reviews before publishing and AI-powered vulnerability scanning to counter these risks as reliance on extensions grows.