CVE-2025-65717 Overview
A Cross-Site Scripting (XSS) vulnerability exists in the Visual Studio Code Live Server extension version 5.7.9 that allows attackers to exfiltrate files from a victim's system. The vulnerability requires user interaction, specifically tricking a user into interacting with a maliciously crafted HTML page served through the Live Server extension.
Critical Impact
Attackers can exfiltrate sensitive files from developers' local machines through a crafted HTML page when using the Live Server extension for web development.
Affected Products
- Visual Studio Code Live Server Extension v5.7.9
Discovery Timeline
- 2026-02-16 - CVE-2025-65717 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2025-65717
Vulnerability Analysis
This vulnerability (CWE-79) represents a Cross-Site Scripting flaw in the Live Server extension, a popular Visual Studio Code extension used by developers to launch a local development server with live reload capability. The extension serves local files over HTTP, creating a potential attack surface when malicious HTML content is introduced.
The vulnerability allows attackers to craft malicious HTML pages that, when served through Live Server and interacted with by the user, can exfiltrate local files. This is particularly concerning for developers who may inadvertently open untrusted HTML files during their development workflow, potentially exposing source code, configuration files, or credentials stored locally.
Root Cause
The root cause stems from improper input validation and sanitization within the Live Server extension's handling of HTML content. The extension fails to adequately restrict or sanitize content served through its local development server, allowing malicious scripts embedded in HTML pages to execute with access to local file system resources. This lack of proper Content Security Policy enforcement and insufficient sandboxing enables cross-origin data exfiltration through crafted payloads.
Attack Vector
The attack requires a network-based approach where an attacker must convince a developer to open a malicious HTML file through the Live Server extension. The attack vector involves:
- The attacker creates a crafted HTML page containing malicious JavaScript
- The victim developer obtains or clones a project containing the malicious HTML file
- The developer uses Live Server to preview the HTML page during development
- User interaction with the page triggers the malicious payload
- The payload exploits the XSS vulnerability to read and exfiltrate local files to an attacker-controlled server
The vulnerability mechanism leverages the trusted context of the Live Server's local HTTP server to bypass browser security restrictions. When the malicious HTML page is served, it can execute scripts that access the local file system through various techniques enabled by the extension's permissive configuration, ultimately transmitting file contents to external endpoints.
For detailed technical analysis, see the Ox Security Blog Analysis.
Detection Methods for CVE-2025-65717
Indicators of Compromise
- Unexpected outbound network connections from VS Code or Live Server processes to external domains
- JavaScript payloads in HTML files attempting to access local file paths or use fetch/XMLHttpRequest to external endpoints
- Unusual file read activity within the VS Code workspace during Live Server sessions
- Network traffic containing base64-encoded file contents being transmitted externally
Detection Strategies
- Monitor for VS Code extensions making unexpected external network connections
- Implement network egress filtering to detect anomalous data exfiltration patterns from development environments
- Scan HTML files in repositories for suspicious JavaScript patterns such as fetch() calls to external domains or file system access attempts
- Use browser developer tools to inspect network activity when previewing untrusted HTML files
Monitoring Recommendations
- Enable detailed logging for VS Code and extension activity during development sessions
- Implement endpoint detection rules for unusual VS Code process behavior, particularly network activity
- Review and audit third-party HTML/JavaScript files before previewing with Live Server
- Configure network monitoring to alert on outbound connections from development tool processes to unknown external endpoints
How to Mitigate CVE-2025-65717
Immediate Actions Required
- Update the Live Server extension to the latest available version from the VS Code Marketplace
- Avoid opening untrusted HTML files with Live Server until a patch is confirmed
- Review any recently cloned or downloaded projects for suspicious HTML or JavaScript content
- Consider using alternative local development servers with stronger security controls for handling untrusted content
Patch Information
Check the GitHub Live Server Project for the latest security updates and patches addressing this vulnerability. Users should ensure they are running the most recent version of the extension and monitor the project's releases for security-related updates.
Workarounds
- Disable the Live Server extension when not actively needed for trusted projects
- Use browser DevTools Network tab to monitor for suspicious outbound requests when previewing HTML files
- Implement a Content Security Policy header in your development environment to restrict script execution and external connections
- Preview untrusted HTML files in an isolated browser sandbox or virtual machine environment
# Configuration example - Disable Live Server extension when not in use
# In VS Code, you can disable extensions per workspace
# Press Ctrl+Shift+P (Cmd+Shift+P on Mac) and run:
# "Extensions: Disable (Workspace)" for Live Server
# Alternatively, configure VS Code to prompt before running Live Server on untrusted files
# Add to settings.json:
# "security.workspace.trust.enabled": true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
