"VS Code extensions are add-ons that expand the functionality of Microsoft's widely used code editor, adding capabilities such as language support, debugging tools, live preview, and code execution. They run with broad access to local files, terminals, and network resources, which is what made these vulnerabilities consequential. Unlike the rogue extensions that threat actors have repeatedly planted in the VS Code marketplace, these flaws resided in legitimate, widely installed tools, meaning developers had no reason to suspect them, OX Security said in an advisory."
"Critical and high-severity vulnerabilities were found in four widely used Visual Studio Code extensions with a combined 128 million downloads, exposing developers to file theft, remote code execution, and local network reconnaissance. Application security company OX Security published the findings this week, saying it had begun notifying vendors in June 2025 but received no response from three of the four maintainers. Three CVEs, CVE-2025-65717, CVE-2025-65715, and CVE-2025-65716, were formally assigned and published on February 16."
Critical and high-severity vulnerabilities were found in four widely used Visual Studio Code extensions with a combined 128 million downloads, exposing developers to file theft, remote code execution, and local network reconnaissance. Three of the four vulnerabilities remained unpatched months after being reported to the maintainers. Three CVEs — CVE-2025-65717, CVE-2025-65715, and CVE-2025-65716 — were assigned and published on February 16. The most severe, CVE-2025-65717, affected Live Server (72 million downloads) by making its local HTTP server reachable from any web page while running. The flaws also affected Cursor and Windsurf IDEs and could enable lateral movement and organizational compromise.
Read at InfoWorld
Unable to calculate read time
Collection
[
|
...
]