IDE Supply Chain Blind Spot: High-Impact Flaws in Popular VS Code Extensions Enable Local File Theft and Remote Code Execution

1. Executive Summary

Security researchers have disclosed high-to-critical vulnerabilities across several widely used Visual Studio Code (VS Code) extensions—reported to total 128M+ installs—that could enable local file exfiltration and, in some cases, remote code execution (RCE) on developer workstations. According to OX Security’s published research, the issues affect Live Server (CVE-2025-65717), Code Runner (CVE-2025-65715), and Markdown Preview Enhanced (CVE-2025-65716), alongside a one-click XSS weakness in Microsoft Live Preview that was patched in v0.4.16. (BleepingComputer)
From a defensive standpoint, this is a developer-endpoint and build-pipeline risk: IDE extensions commonly operate with broad access to local files, terminals, and network resources, turning a single malicious workspace, Markdown file, or web page interaction into a foothold for broader compromise. (CSO Online)
As of publication, CISA’s Known Exploited Vulnerabilities (KEV) catalogue does not list these CVEs, and public reporting has not established confirmed exploitation at scale; however, the attack paths are practical in typical developer workflows. (CISA)

2. Contextual Background

2.1 Nature of the threat

The disclosed issues centre on trust boundaries inside the IDE: preview servers, renderers, and extension configuration surfaces that can be influenced by untrusted content (workspaces, Markdown, HTML, and settings snippets).

Affected components and identifiers (per OX Security and public reporting):

• Code Runner — CVE-2025-65715
  • “Vendor advisory”: No maintainer advisory identified in public reporting; primary disclosure is OX Security.
  • OX Security disclosure for CVE-2025-65715 | NVD (OX Security)
• Markdown Preview Enhanced — CVE-2025-65716
  • “Vendor advisory”: No maintainer advisory identified in public reporting; primary disclosure is OX Security.
  • OX Security disclosure for CVE-2025-65716 | NVD (OX Security)
• Live Server — CVE-2025-65717
  • “Vendor advisory”: No maintainer advisory identified in public reporting; primary disclosure is OX Security (referenced by NVD).
  • OX Security disclosure for CVE-2025-65717 | NVD (NVD)
• Microsoft Live Preview — one-click XSS (no CVE assigned in referenced reporting)
  • Patch is documented as shipped in v0.4.16 (11 September 2025).
  • OX Security report on Live Preview XSS | Microsoft Live Preview changelog showing 0.4.16 security note (OX Security)

Note: Some secondary articles summarise severity scores inconsistently across the set; defenders should treat NVD “Awaiting Analysis” status as a sign that scoring may evolve as enrichment completes. (NVD)

2.2 Threat-actor attribution

No specific threat actor attribution is established in the cited primary disclosures and mainstream reporting. This activity is best treated as an exposure to opportunistic exploitation (including targeted social engineering against developers). Confidence: Confirmed (no attribution) based on available sources. (BleepingComputer)

2.3 Sector and geographic targeting

While the vulnerabilities are not sector-specific, they disproportionately impact environments where developers:

• routinely open third-party repositories/workspaces,
• preview untrusted content,
• run local development servers,
• and store sensitive material locally (API keys, credentials, configs). (CSO Online)

Public reporting also notes applicability to VS Code-compatible IDEs, including Cursor and Windsurf, extending the risk to “AI-powered” developer tooling ecosystems that reuse extension compatibility. (Infosecurity Magazine)

3. Technical Analysis

3.1 Vulnerability and TTP overview (mapped to MITRE ATT&CK)

Below is a defensible ATT&CK mapping of common behaviours described in the disclosures and related reporting:

• User-driven execution / social engineering: convincing a developer to open a crafted workspace, Markdown file, or web page
  • T1204 (User Execution) (NVD)
• Drive-by style interaction with a malicious page while a local preview server is running
  • T1189 (Drive-by Compromise) (NVD)
• Local data access from the developer workstation (source code, secrets, configuration files)
  • T1005 (Data from Local System) (CSO Online)
• Command execution via extension-facilitated RCE paths
  • T1059 (Command and Scripting Interpreter) (NVD)
• Exfiltration over web protocols to attacker infrastructure (where described as “exfiltration” / “attacker-controlled server”)
  • T1041 (Exfiltration Over C2 Channel) (OX Security)

Per-CVE technical synopsis (source-bound):

• CVE-2025-65717 (Live Server): local file exfiltration via crafted HTML page interaction
  NVD describes file exfiltration risk via user interaction with a crafted HTML page. Additional reporting highlights the risk model around local preview servers being reachable in unsafe ways during browsing sessions. (NVD)
• CVE-2025-65715 (Code Runner): arbitrary code execution when opening a crafted workspace / abusing executor mapping
  NVD’s description references the code-runner.executorMap setting and “opening a crafted workspace” leading to arbitrary code execution. OX Security’s write-up describes configuration influence as a key mechanism. (NVD)
• CVE-2025-65716 (Markdown Preview Enhanced): code execution via a crafted Markdown file
  NVD states the issue affects Markdown Preview Enhanced and can enable arbitrary code execution via a crafted .md file; OX Security describes preview-context execution paths and related risks. (NVD)
• Microsoft Live Preview: one-click XSS enabling sensitive file access; patched in 0.4.16
  OX Security reports patching in 0.4.16 and Microsoft’s changelog records addressing XSS issues in that release. (OX Security)

3.2 Exploitation status and PoC availability

• CISA KEV: At the time of referenced reporting and checking the KEV catalogue entry point, these CVEs are not presented as KEV-listed. (CISA)
• Public PoCs: Secondary reporting references demonstrations (e.g., videos) rather than broadly weaponised exploit kits; treat as low barrier for targeted social engineering, not yet as mass-automation. (SOCRadar® Cyber Intelligence Inc.)

4. Impact Assessment

4.1 Severity and scope

• Impact: developer workstation compromise, theft of local secrets (API keys, tokens, config), and potential stepping-stone into CI/CD and corporate networks. (CSO Online)
• Scope: reporting cites 128M+ combined downloads across affected extensions, implying a broad exposure surface even if real-world exploitability varies by workflow and configuration. (BleepingComputer)

CVSS scoring across sources may differ while NVD enrichment is pending; always defer to the latest NVD record status during triage:

• NVD for CVE-2025-65715 (NVD)
• NVD for CVE-2025-65716 (NVD)
• NVD for CVE-2025-65717 (NVD)

4.2 Victim profile

Highest-risk environments include:

• engineering teams running local preview servers and routinely browsing untrusted content,
• organisations with developer secrets on endpoints and weak secret-scanning,
• teams adopting VS Code-compatible AI IDEs with extension parity (e.g., Cursor/Windsurf per reporting). (Infosecurity Magazine)

5. Indicators of Compromise (IOCs)

5.1 IOC table

Public disclosures and mainstream reporting referenced above do not provide a stable set of attacker IOCs (domains/IPs/hashes) suitable for defensive blocklists. To avoid fabrication, the table below focuses on defender-observable exposure indicators (installed extension + version posture), which are appropriate for fleet auditing.

5.2 Detection guidance (practical hunting)

Fleet auditing (priority):

• Enumerate installed VS Code extensions and versions across developer endpoints; flag the extensions above and validate version posture against your internal policy (especially Live Preview < 0.4.16). (OX Security)
• Monitor for unexpected changes to VS Code’s user settings, including suspicious modifications to execution-related mappings (relevant to executorMap abuse described for Code Runner). (NVD)

Endpoint telemetry ideas (SIEM/EDR):

• Alert on VS Code (or VS Code-compatible IDE) spawning shells with unusual parent/child patterns after opening a repository/workspace (maps to T1204 + T1059). (NVD)
• Alert on unexpected outbound connections immediately after rendering Markdown previews or running preview servers, especially if accompanied by reads of developer secret locations (maps to T1005 + T1041). (OX Security)

Rule content (public repositories):

• Where feasible, adapt generic child-process and suspicious network-egress rules from your preferred frameworks (Sigma/YARA) to VS Code process trees; this is safer than relying on IOCs that are not present in public reporting. (No vendor-published detection content was identified in the referenced sources.)

6. Incident Response Guidance

6.1 Containment, eradication, recovery

1. Containment
   • Temporarily remove or disable the affected extensions across managed developer endpoints until version posture is verified and risk accepted. (BleepingComputer)
   • Stop running localhost preview servers unless needed; avoid browsing untrusted sites while preview servers are active (risk emphasised in reporting around preview-server exposure). (CSO Online)
2. Eradication
   • Reinstall extensions from trusted publishers only after review; for Microsoft Live Preview, ensure ≥ 0.4.16. (OX Security)
   • Rotate potentially exposed secrets (API keys, tokens) if a developer opened untrusted workspaces/Markdown or interacted with crafted pages while vulnerable components were in use. (Infosecurity Magazine)
3. Recovery
   • Validate system integrity (persistence checks, startup items) if RCE is suspected; restore from known-good images where needed.

6.2 Forensic artefacts to preserve

• VS Code user/workspace settings (focus on execution-related settings and recently modified configuration files). (NVD)
• IDE logs (VS Code and VS Code-compatible IDE equivalents), extension logs where available.
• Browser history (if the Live Server / preview server scenario suggests malicious page interaction). (NVD)
• EDR process telemetry around the timeframe of opening the repository/workspace/Markdown and any unexpected child processes.

6.3 Lessons learned

Treat IDE extensions as supply chain components: apply allow-listing, version control, and continuous auditing—especially for extensions that start servers, render active content, or execute code. (Infosecurity Magazine)

7. Threat Intelligence Contextualisation

7.1 Similar incident patterns

This disclosure reinforces a recurring theme: developer tooling is a high-value target because it sits at the intersection of secrets, source code, and network access. OX Security and follow-on coverage explicitly frame IDE extensions as an organisational blind spot and a path to data theft and lateral movement. (CSO Online)

7.2 Full MITRE ATT&CK mapping table

8. Mitigation Recommendations

8.1 Hardening and best practices

• Extension allow-listing: permit only vetted publishers/extensions; remove unused extensions. (BleepingComputer)
• Local server hygiene: avoid running localhost servers unless required; do not browse untrusted content while they run. (CSO Online)
• Configuration governance: treat settings.json and workspace settings as controlled inputs; discourage pasting untrusted snippets. (OX Security)
• Secrets management: minimise secrets on endpoints; use vaults, short-lived tokens, and automated secret scanning of repos and local workspaces.

8.2 Patch and prioritisation guidance

• Immediate: ensure Microsoft Live Preview is updated to ≥ 0.4.16 (security fix recorded in changelog and OX Security reporting). (OX Security)
• High priority: if you cannot confirm maintainer patches for the community extensions, treat them as risk-accepted or remove until your organisation can validate safe versions and compensating controls. Public reporting indicates disclosure challenges and lack of maintainer response in the referenced timeframe. (BleepingComputer)
• Track enrichment on NVD entries for updated scoring/analysis: CVE-2025-65715 (NVD), CVE-2025-65716 (NVD), CVE-2025-65717 (NVD). (NVD)

9. Historical Context & Related Vulnerabilities

This disclosure aligns with a broader pattern of “trusted developer UX becomes an attack primitive” (preview servers, renderers, and automation helpers). In this case, multiple extensions present paths to local file access and/or code execution, reinforcing the need for IDE extension governance as part of software supply chain security. (CSO Online)

(No additional “previously exploited vulnerabilities from the same vendor/product family” were identified in the provided sources beyond the items in scope. This section should be expanded if your internal telemetry or vendor advisories surface prior related issues.)

10. Future Outlook

Expect increased attention from both defenders and adversaries on:

• preview server exposure and “localhost trust” assumptions,
• workspace-level configuration abuse (developer convenience features as code execution levers),
• VS Code-compatible AI IDE ecosystems that inherit extension risk at scale. (Infosecurity Magazine)

Given the breadth of installs cited in public reporting, even low-frequency targeted exploitation against high-value engineers (release managers, platform engineers, CI owners) can yield outsized returns. (CSO Online)

11. Further Reading

Primary research

• OX Security: CVE-2025-65715 (Code Runner) disclosure (OX Security)
• OX Security: CVE-2025-65716 (Markdown Preview Enhanced) disclosure (OX Security)
• OX Security: Live Preview one-click XSS report (OX Security)

Vulnerability records

• NVD: CVE-2025-65715 (NVD)
• NVD: CVE-2025-65716 (NVD)
• NVD: CVE-2025-65717 (NVD)

Secondary coverage

• BleepingComputer coverage of the affected VS Code extensions (BleepingComputer)
• CSO Online analysis of the Live Server attack model (CSO Online)
• Infosecurity Magazine on risks to VS Code, Cursor, and Windsurf users (Infosecurity Magazine)