Security researchers have uncovered several high-severity vulnerabilities affecting four widely used extensions in Microsoft Visual Studio Code (VS Code). If exploited, these flaws could allow attackers to steal local files or execute remote code on a developer’s machine.

The impacted extensions — Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview — have been installed more than 125 million times combined. The findings highlight how a single vulnerable extension can become an entry point for broader organizational compromise.

Key vulnerabilities include:

• CVE-2025-65717 (CVSS 9.1) — in Live Server, enabling local file exfiltration via a malicious webpage abusing the localhost server at localhost:5500. (Unpatched)
• CVE-2025-65716 (CVSS 8.8) — in Markdown Preview Enhanced, allowing arbitrary JavaScript execution through a crafted markdown file. (Unpatched)
• CVE-2025-65715 (CVSS 7.8) — in Code Runner, allowing arbitrary code execution if users are tricked into modifying settings.json. (Unpatched)
• Microsoft Live Preview — allowed access to sensitive local files via crafted localhost requests; quietly fixed in version 0.4.16 (September 2025).

Researchers warn that overly permissive, poorly designed, or malicious extensions can easily become a serious security risk. In many cases, a single click or opening a compromised repository is enough to trigger exploitation.

To reduce exposure, developers and IT teams should regularly audit installed extensions, avoid untrusted configurations, disable unnecessary add-ons, and keep all extensions up to date. Hardening local network access and turning off localhost services when not in use can further minimize the attack surface.

Bottom line: securing your development environment isn’t just about the editor or OS — your extensions can be the weakest link.

Source: https://thehackernews.com/2026/02/critical-flaws-found-in-four-vs-code.html