Vulnerabilities with excessive to important severity rankings affecting widespread Visible Studio Code (VSCode) extensions collectively downloaded greater than 128 million instances could possibly be exploited to steal native information and execute code remotely.
The safety points impression Stay Server (CVE-2025-65715), Code Runner (CVE-2025-65716), Markdown Preview Enhanced (CVE-2025-65717), and Microsoft Stay Preview (no identifier assigned).
Researchers at utility safety firm Ox Safety found the failings and tried to reveal them since June 2025. Nonetheless, the researchers say that no maintainer responded.
Distant code execution in IDE
VSCode extensions are add-ons that increase the performance of Microsoft’s built-in growth atmosphere (IDE). They will add language assist, debugging instruments, themes, and different performance or customization choices.
They run with vital entry to the native growth atmosphere, together with information, terminals, and community sources.
Ox Safety revealed stories for every of the found flaws and warned that protecting the weak extensions may expose the company atmosphere to lateral motion, knowledge exfiltration, and system takeover.
An attacker exploiting the CVE-2025-65717 important vulnerability within the Stay Server extension (over 72 million downloads on VSCode) can steal native information by directing the goal to a malicious webpage.
The CVE-2025-65715 vulnerability within the Code Runner VSCode extension, with 37 million downloads, permits distant code execution by altering the extension’s configuration file. This could possibly be achieved by means of tricking the goal into pasting or making use of a maliciously configuration snippet within the international settings.json file.
Rated with a high-severity rating of 8.8, CVE-2025-65716 impacts the Markdown Preview Enhanced (8.5 million downloads) and could be leveraged to execute JavaScript by way of maliciously crafted Markdown file.
Ox Safety researchers found a one-click XSS vulnerability in variations of Microsoft Stay Preview earlier than 0.4.16. It may be exploited to entry delicate information on a developer’s machine. The extension has greater than 11 million downloads on VSCode.
The issues within the extensions additionally apply to Cursor and Windsurf, that are AI-powered VSCode-compatible different IDEs.
Ox Safety’s report highlights that the dangers related to a menace actor leveraging the problems embody pivoting on the community and stealing delicate particulars like API keys and configuration information.
Builders are suggested to keep away from working localhost servers until needed, opening untrusted HTML whereas they’re working, and making use of untrusted configurations or pasting snippets into settings.json.
Additionally, it’s advisable to take away pointless extensions and solely set up these from respected publishers, whereas monitoring for surprising setting adjustments.
Trendy IT infrastructure strikes sooner than handbook workflows can deal with.
On this new Tines information, learn the way your staff can scale back hidden handbook delays, enhance reliability by means of automated response, and construct and scale clever workflows on high of instruments you already use.
