Critical VS Code Extension Vulnerabilities Expose 128 Million Developer Machines to Attack

Three critical vulnerabilities hit four popular VS Code extensions with 128 million downloads. CVE-2025-65715, CVE-2025-65716, and CVE-2025-65717 allow remote code execution, file exfiltration, and network scanning. OX Security found these flaws threaten developer laptops holding API keys, source code, and database configs.

Developer machines sit outside traditional defenses. IDE extensions run with full system access. One bad extension reads all files, runs commands, or phones home. Live Server alone has 72 million installs. Attackers need no phishing. Compromise one developer and pivot to corporate networks.

OX Security disclosed flaws responsibly in July-August 2025. Most maintainers stayed silent. Microsoft quietly patched Live Preview XSS without CVE or credit. No marketplace enforces security reviews or patch deadlines.

CVE records confirm severity scores:

• CVE-2025-65717
• CVE-2025-65715
• CVE-2025-65716

Vulnerable Extensions

CVE ID	Extension	CVSS	Downloads	Impact	Status
CVE-2025-65717	Live Server	9.1	72M+	Remote file exfiltration	All versions
CVE-2025-65715	Code Runner	7.8	37M+	Remote code execution	All versions
CVE-2025-65716	Markdown Preview Enhanced	8.8	8.5M+	JS execution, port scan, exfil	All versions
None	Microsoft Live Preview	N/A	11M+	XSS to full IDE exfiltration	Fixed v0.4.16+

Total exposure: 128.5 million installs.

Attack Capabilities

Each flaw grants attackers:

• Full filesystem read access to source code, configs, .env files.
• Arbitrary command execution as logged-in developer.
• Local network discovery and lateral movement.
• Data exfiltration over localhost tunnels.

No antivirus flags extension activity.

Live Server CVE-2025-65717 Breakdown

CVSS 9.1 Critical. Attack sequence:

1. Developer runs Live Server (localhost:5500).
2. Visits crafted external page with img src=localhost:5500/.ssh/id_rsa.
3. Server reflects file contents to attacker’s domain.

72 million users run this daily.

Code Runner CVE-2025-65715 Details

37 million downloads. Remote code execution via:

• Malicious workspace settings.json.
• Extension executes code from untrusted snippets.
• Runs as developer user context.

Perfect for supply chain attacks.

Immediate Mitigation Steps

Organizations must act now:

• Inventory all VS Code extensions across developer endpoints.
• Remove/disable Live Server, Code Runner, Markdown Preview Enhanced.
• Disable localhost servers when not coding.
• Block extensions writing to sensitive directories.
• Audit settings.json from email/chat sources.

Deploy via Intune or Jamf policies.

Extension Security Checklist

Control	Status Check
Non-essential extensions	Removed
Localhost servers	Disabled when idle
settings.json sources	Trusted repositories only
Extension permissions	Minimal required scopes
Marketplace monitoring	Block known malicious publishers

Industry-Wide Risks

Developers hold golden keys to:

• Source code repositories.
• CI/CD pipelines.
• Cloud IAM credentials.
• Production database access.

One extension flaw equals organization compromise.

Platform Recommendations

OX Security demands marketplace reforms:

• Mandatory security scans before publishing.
• CVSS scoring for all extensions.
• 30-day patch deadlines for critical flaws.
• Publisher verification and reputation scores.

AI coding agents accelerate extension sprawl.

FAQ