Critical VS Code Flaw (CVE-2025-65717) Exposes Millions of Developers to Remote File Theft via Live Server Extension

CyberDefender 7 mins0

On 16 February 2026, a critical vulnerability identified as CVE-2025-65717 was published in the Common Vulnerabilities and Exposures (CVE) list, affecting the Live Server extension for Visual Studio Code (VS Code) — a widely used tool installed by millions of developers globally.

Live Server’s core functionality makes it invaluable for developers: it runs a local HTTP server and auto-reloads browsers when workspace files change, enabling real-time page previews during development. However, this convenience comes with a significant security risk.

Threat Overview

The security flaw resides in Live Server v5.7.9 and earlier versions. When the extension is active, it exposes a development server on localhost without restricting access from remote origins. This misconfiguration allows crafted web pages hosted externally to interact with the local server as if they were trusted, enabling unauthenticated attackers to access and exfiltrate files from a developer’s machine.

In practical terms:

  • A user with Live Server running who opens a maliciously constructed HTML page in their default browser can inadvertently allow that page to send requests to the localhost development server.
  • Because the extension lacks proper Cross-Origin Resource Sharing (CORS) protections, such cross-origin requests are permitted, allowing external sites to fetch files that Live Server is serving locally.

This behavior creates an attack vector where an adversary can browse project files, configuration files, or other sensitive local data and transmit them to a remote server under the attacker’s control.

Severity and Impact

According to public vulnerability records, CVE-2025-65717 carries a Critical severity rating, with a CVSS score of 9.1, reflecting the serious nature of this flaw.

Key characteristics that contribute to the high severity include:

  • Network-accessible: The vulnerability can be triggered via network traffic without physical access.
  • Low complexity: No special conditions are required to exploit it; a crafted webpage and Live Server running are sufficient.
  • No privileges needed: It does not require elevated permissions on the developer’s system.
  • Data confidentiality impact: Successful exploitation can result in unauthorized access to and exfiltration of local files.

These factors make this vulnerability particularly dangerous in environments where developers frequently test pages using Live Server — especially when networks contain sensitive project data or credentials.

Technical Root Cause

The issue stems primarily from how Live Server handles HTTP requests from external origins. By default, it does not enforce origin checks or CORS policies, meaning that a remote website can issue cross-origin requests to the local server endpoint (typically on localhost:PORT). The browser’s same-origin policy is effectively bypassed because the extension’s server implicitly trusts all origins.

Attackers can exploit this to send recursive requests that list and retrieve project files exposed by the local server, including:

  • Source code files (.js, .html, .css)
  • Configuration files (such as .env, settings.json)
  • Sensitive data or credentials stored within the workspace

Once retrieved, the malicious page can transmit this data to a controlled server using JavaScript — all without requiring user interaction beyond initially opening the malicious page.

Exploitation Scenario

A typical exploitation flow looks like this:

  1. Live Server is running in a developer’s VS Code session.
  2. The developer is tricked into opening a crafted HTML page (for example, via email or an external website).
  3. That page executes JavaScript that sends HTTP requests to the local Live Server instance.
  4. The server responds with local file contents, which the page captures.
  5. The captured data is exfiltrated to an attacker-controlled endpoint.

Without proper CORS or origin validation, the localhost server trusts the malicious page implicitly, enabling the attack.

Mitigation and Best Practices

To protect against CVE-2025-65717, developers and teams should consider the following actions:

  • Update the Live Server extension to a patched version as soon as one is available from the extension’s repository or marketplace.
  • Disable Live Server when not actively used — especially on machines with sensitive project data.
  • Avoid opening untrusted web pages while Live Server (or other localhost servers) is running.
  • Implement firewall rules to limit access to localhost ports used by development servers.

These steps help reduce the chances of remote sites interacting with localhost development services in unintended ways.

Final Thoughts

CVE-2025-65717 highlights a growing challenge in modern development workflows: local tooling can be an attack surface if not properly secured. Extensions like Live Server operate powerful local services — but without robust security controls, they can unintentionally expose developers to significant risk.

By staying aware of vulnerabilities in commonly used extensions and applying conservative best practices, developers can mitigate risks while still enjoying the productivity benefits that tools like Live Server provide.

CyberDefender