Flaws in Popular IDE Extensions Allow Data Exfiltration
Flaws in Popular IDE Extensions Allow Data Exfiltration
https://www.infosecurity-magazine.com/news/vulnerabilities-vs-code-cursor/
Publish Date: 2026-02-19 05:45:00
Source Domain: www.infosecurity-magazine.com
Researchers at OX Security have detected four vulnerabilities in three of the most popular integrated development environments (IDEs) that could lead to cyber-attacks.
In a report published on February 17, OX Security shared details about the four new flaws, including two high-severity and one critical, affecting Microsoft Visual Studio Code (VS Code).
These vulnerabilities also impact Cursor and Windsurf, two forks of VS Code that provide AI-assisted software development tools (aka ‘vibe coding’ platforms).
The affected extensions were collectively downloaded over 128 million times.
The researchers warned that despite disclosing the vulnerabilities to these platforms’ maintainers in July and August 2025 through multiple channels, including direct email, their GitHub pages and social networks, none have yet responded.
Three of the vulnerabilities were disclosed by MITRE on February 16 and allocated a common vulnerabilities and exposures (CVE) identifier.
Vulnerabilities Affecting VS Code and ‘Vibe Coding’ Forks
The vulnerabilities described include:
- CVE-2025-65717 (CVSS v3.1 score: 9.1) is a vulnerability in the Live Server extension for VS Code – with over 72 million downloads – that allows a remote, unauthenticated attacker to exfiltrate files from a developer’s local machine. OX Security warned that attackers only need to send a malicious link to the victim while Live Server is running in the background to exploit the flaw
- CVE-2025-65716 (CVSS v3.1 score: 8.8) is a vulnerability in Markdown Preview Enhanced, a VS Code extension with over 8.5 million downloads designed to provide a richer Markdown authoring experience. It allows attackers to exploit how Markdown files preview HTML tags in order to execute arbitrary JavaScript code, which is able to communicate with localhost, allowing maliciously crafted Markdown files to scan the current local network and exfiltrate data to a remote server
- CVE-2025-65715 (CVSS v3.1 score: 7.8) is a…
