A coordinated disclosure has highlighted four popular Visual Studio Code extensions—Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview—as affected by CVEs, including CVE-2025-65715, CVE-2025-65716 and CVE-2025-65717, with no maintainer patches at the time of publication. The post notes that three of the issues are CVEs, while Microsoft Live Preview was discussed without a CVE assignment, describing a one-click XSS-class flaw in the local preview server that could exfiltrate files.
According to OX Security’s assessment, the vulnerabilities affect all versions of the non-Microsoft extensions, meaning upgrading may not fully mitigate the risk and that remediation details are still forthcoming. Defenders are advised to disable or uninstall the three unpatched extensions, enforce extension allowlisting, and treat workspace settings as untrusted input to reduce the risk from settings-driven or repo-driven exploitation. For Microsoft Live Preview, the guidance is to update to 0.4.16 or later.
The article also notes that public PoC demonstrations exist and that exploitation aligns with common developer workflows, such as previewing files or opening repos, rather than solely relying on remote scanners.