"CVE-2025-65717 (CVSS score: 9.1) - A vulnerability in Live Server that allows attackers to exfiltrate local files, tricking a developer into visiting a malicious website when the extension is running, causing JavaScript embedded in the page to crawl and extract files from the local development HTTP server that runs at localhost:5500, and transmit them to a domain under their control. (Remains unpatched)"
"CVE-2025-65716 (CVSS score: 8.8) - A vulnerability in Markdown Preview Enhanced that allows attackers to execute arbitrary JavaScript code by uploading a crafted markdown (.md) file, allowing local port enumeration and exfiltration to a domain under their control. (Remains unpatched) CVE-2025-65715 (CVSS score: 7.8) - A vulnerability in Code Runner that allows attackers to execute arbitrary code by convincing a user to alter the "settings.json" file through phishing or social engineering. (Remains unpatched)"
"The extensions, which have been collectively installed more than 125 million times, are Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview. "Our research demonstrates that a hacker needs only one malicious extension, or a single vulnerability within one extension, to perform lateral movement and compromise entire organizations," OX Security researchers Moshe Siman Tov Bustan and Nir Zadok said in a report shared with The Hacker News."
Four popular Visual Studio Code extensions—Live Server, Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview—contain multiple critical security vulnerabilities that remain unpatched. The extensions have been installed collectively over 125 million times. Vulnerabilities include Live Server allowing JavaScript on a malicious webpage to crawl the localhost:5500 development server and exfiltrate files; Markdown Preview Enhanced permitting execution of arbitrary JavaScript via a crafted .md file enabling local port enumeration and exfiltration; Code Runner enabling arbitrary code execution through social-engineered modification of settings.json; Microsoft Live Preview allowing access to sensitive local files via malicious webpages. Successful exploitation permits lateral movement and organizational compromise.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]