A critical vulnerability discovered in Microsoft’s popular Visual Studio Code (VS Code) Live Preview extension, downloaded over 11 million times, exposes developers to one-click cross-site scripting (XSS) and local file exfiltration attacks.
The flaw, now patched, was discovered by researchers Nir Zadok and Moshe Siman Tov Bustan from OX Security. The issue affects all versions of the Live Preview extension up to 0.4.16.
The vulnerability arises from improper handling of untrusted input in the local development server that Live Preview runs on a developer’s machine.
When exploited, a malicious website could send unauthenticated HTTP requests to this locally hosted server, allowing attackers to enumerate files on the developer’s root directory.
By injecting a crafted JavaScript payload, threat actors could exploit a reflected XSS vulnerability within Live Preview’s file handling logic.
This flaw would allow them to access sensitive local files, such as environment configuration files (.env), API keys, or source code, and exfiltrate this data to an attacker-controlled server.
According to OX Security, the vulnerability was responsibly disclosed to Microsoft on August 7, 2025. Initially, Microsoft classified it as a low-severity issue, noting that it requires specific conditions and user interaction.
However, a silent patch was later released on September 11, 2025, in version 0.4.16, addressing the XSS issue without public acknowledgment.
Researchers verified that the patch implemented an escapeHTML function to sanitize input properly, neutralizing the attack vector.
Developers are strongly advised to update to the latest version immediately to prevent potential exploitation.
Systems running outdated versions of Live Preview are at risk of data exposure, especially if the extension remains active while browsing untrusted websites.
Exploitation Scenario
The attack requires minimal user interaction. When a developer has Live Preview running, visiting a compromised or malicious webpage could automatically trigger requests to the local Live Preview server (typically hosted on localhost:3000).
This would grant the attacker access to internal paths and allow JavaScript-based payloads to silently extract configuration files.
To reduce exposure:
RecommendationActionUpdate SoftwareUpgrade Live Preview to version 0.4.16 or laterDisable ExtensionsRemove or disable unused IDE extensionsRestrict ServicesUse a firewall to limit access to local development servicesDisable Localhost ServicesTurn off localhost-based services when not in useRoutine UpdatesRegularly apply updates across all development tools
Given the widespread use of VS Code in software development, this finding underscores the importance of securing developer environments and minimizing unnecessary local exposure during testing.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Microsoft VS Code Extension with 11M Downloads Expose Developers to One-Click XSS Attacks appeared first on Cyber Security News.
