嗯,用户让我用中文帮他总结一下这篇文章的内容,控制在100个字以内,而且不需要以“文章内容总结”或“这篇文章”这样的开头,直接写描述。首先,我需要仔细阅读文章内容,抓住关键点。 文章主要讲的是Visual Studio Code(VSCode)的一些流行扩展存在高危到关键级别的漏洞。这些扩展被下载了超过1.28亿次,包括Live Server、Code Runner、Markdown Preview Enhanced和Microsoft Live Preview。研究人员在2025年6月就发现了这些问题,并尝试披露,但维护者没有回应。 这些漏洞可能导致远程代码执行和文件窃取。比如,Live Server的一个漏洞可以让攻击者通过恶意网页窃取本地文件;Code Runner的一个漏洞则允许通过修改配置文件来执行远程代码。此外,还有针对Markdown Preview Enhanced和Microsoft Live Preview的漏洞。 建议开发者避免不必要的扩展安装,并从信誉良好的发布者那里安装扩展,同时监控设置变化。 现在我需要把这些信息浓缩到100字以内。要涵盖主要问题:VSCode扩展的高危漏洞、影响范围、可能的攻击后果以及建议措施。 可能的结构是:首先点明问题,然后说明影响范围和后果,最后给出建议。这样既全面又简洁。 </think> Visual Studio Code 的多个流行扩展存在高危至关键级别漏洞,影响超1.28亿次下载。攻击者可利用这些漏洞窃取本地文件或远程执行代码。涉及 Live Server、Code Runner 等扩展。研究人员已披露问题但未获回应。 2026-2-17 21:30:28 Author: www.bleepingcomputer.com(查看原文) 阅读量:1 收藏
Vulnerabilities with high to critical severity ratings affecting popular Visual Studio Code (VSCode) extensions collectively downloaded more than 128 million times could be exploited to steal local files and execute code remotely.
The security issues impact Live Server (CVE-2025-65715), Code Runner (CVE-2025-65716), Markdown Preview Enhanced (CVE-2025-65717), and Microsoft Live Preview (no identifier assigned).
Researchers at application security company Ox Security discovered the flaws and tried to disclose them since June 2025. However, the researchers say that no maintainer responded.
Remote code execution in IDE
VSCode extensions are add-ons that expand the functionality of Microsoft's integrated development environment (IDE). They can add language support, debugging tools, themes, and other functionality or customization options.
They run with significant access to the local development environment, including files, terminals, and network resources.
Ox Security published reports for each of the discovered flaws and warned that keeping the vulnerable extensions could expose the corporate environment to lateral movement, data exfiltration, and system takeover.
An attacker exploiting the CVE-2025-65717 critical vulnerability in the Live Server extension (over 72 million downloads on VSCode) can steal local files by directing the target to a malicious webpage.
The CVE-2025-65715 vulnerability in the Code Runner VSCode extension, with 37 million downloads, allows remote code execution by changing the extension's configuration file. This could be achieved through tricking the target into pasting or applying a maliciously configuration snippet in the global settings.json file.
Rated with a high-severity score of 8.8, CVE-2025-65716 affects the Markdown Preview Enhanced (8.5 million downloads) and can be leveraged to execute JavaScript via maliciously crafted Markdown file.
Ox Security researchers discovered a one-click XSS vulnerability in versions of Microsoft Live Preview before 0.4.16. It can be exploited to access sensitive files on a developer's machine. The extension has more than 11 million downloads on VSCode.
The flaws in the extensions also apply to Cursor and Windsurf, which are AI-powered VSCode-compatible alternative IDEs.
Ox Security's report highlights that the risks associated with a threat actor leveraging the issues include pivoting on the network and stealing sensitive details like API keys and configuration files.
Developers are advised to avoid running localhost servers unless necessary, opening untrusted HTML while they’re running, and applying untrusted configurations or pasting snippets into settings.json.
Also, it is advisable to remove unnecessary extensions and only install those from reputable publishers, while monitoring for unexpected setting changes.
The future of IT infrastructure is here
Modern IT infrastructure moves faster than manual workflows can handle.
In this new Tines guide, learn how your team can reduce hidden manual delays, improve reliability through automated response, and build and scale intelligent workflows on top of tools you already use.
如有侵权请联系:admin#unsafe.sh