What happened
Security researchers discovered multiple high- and critical-severity vulnerabilities affecting widely used Visual Studio Code (VSCode) extensions including Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview, which collectively have over 128 million downloads. The flaws, tracked as CVE-2025-65715, CVE-2025-65716, and CVE-2025-65717, allow attackers to execute arbitrary code, access sensitive local files, and run malicious JavaScript through techniques such as malicious configuration changes, crafted Markdown files, or directing victims to attacker-controlled web pages. The vulnerabilities also affect AI-powered VSCode-compatible IDEs such as Cursor and Windsurf, and could enable data theft, lateral movement, and full system compromise due to the extensions’ privileged access to local files and system resources.
Who is affected
Developers and organizations using vulnerable versions of affected VSCode extensions, including Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview, are affected, particularly those relying on these extensions in development environments.
Why CISOs should care
The vulnerabilities affect developer tooling with privileged system access, creating potential entry points for attackers to steal sensitive data such as API keys, configuration files, and credentials, and to move laterally within enterprise networks.
3 practical actions
- Remove or update vulnerable extensions. Ensure affected VSCode extensions are updated or removed if no fixes are available.
- Audit developer environments. Review installed extensions and monitor for unexpected configuration changes or suspicious activity.
- Restrict use of untrusted content. Avoid opening untrusted files or applying unknown configuration snippets in development tools.