VSCode Extension Vulnerabilities Enable Remote Code Execution and File Theft

Related

AirDrop and Quick Share Flaws Allow Attackers to Crash Nearby Devices

What happened Security researchers disclosed multiple vulnerabilities affecting Apple AirDrop...

Langflow RCE Exploited to Deploy Monero Miner on Exposed AI App Endpoints

What happened Threat actors are exploiting a critical Langflow vulnerability...

BlueHammer Microsoft Defender Flaw Exploited in Ransomware Attacks

What happened CISA updated its Known Exploited Vulnerabilities catalog to...

Critical Dell Wyse Vulnerabilities Enable Remote Code Execution

What happened Dell Technologies released a critical security advisory for...

Insurance Regulators Group NAIC Hit in Oracle PeopleSoft Hack

What happened The National Association of Insurance Commissioners confirmed it...

Share

What happened

Security researchers discovered multiple high- and critical-severity vulnerabilities affecting widely used Visual Studio Code (VSCode) extensions including Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview, which collectively have over 128 million downloads. The flaws, tracked as CVE-2025-65715, CVE-2025-65716, and CVE-2025-65717, allow attackers to execute arbitrary code, access sensitive local files, and run malicious JavaScript through techniques such as malicious configuration changes, crafted Markdown files, or directing victims to attacker-controlled web pages. The vulnerabilities also affect AI-powered VSCode-compatible IDEs such as Cursor and Windsurf, and could enable data theft, lateral movement, and full system compromise due to the extensions’ privileged access to local files and system resources. 

Who is affected

Developers and organizations using vulnerable versions of affected VSCode extensions, including Code Runner, Markdown Preview Enhanced, and Microsoft Live Preview, are affected, particularly those relying on these extensions in development environments. 

Why CISOs should care

The vulnerabilities affect developer tooling with privileged system access, creating potential entry points for attackers to steal sensitive data such as API keys, configuration files, and credentials, and to move laterally within enterprise networks. 

3 practical actions

  • Remove or update vulnerable extensions. Ensure affected VSCode extensions are updated or removed if no fixes are available. 
  • Audit developer environments. Review installed extensions and monitor for unexpected configuration changes or suspicious activity. 
  • Restrict use of untrusted content. Avoid opening untrusted files or applying unknown configuration snippets in development tools.
IMG 0514 2
+ posts

John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.