Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-65717

CVE-2025-65717: VS Code Live Server XSS Vulnerability

CVE-2025-65717 is an XSS flaw in Visual Studio Code Extensions Live Server v5.7.9 that enables attackers to exfiltrate files through crafted HTML pages. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-65717 Overview

A Cross-Site Scripting (XSS) vulnerability exists in the Visual Studio Code Live Server extension version 5.7.9 that allows attackers to exfiltrate files from a victim's system. The vulnerability requires user interaction, specifically tricking a user into interacting with a maliciously crafted HTML page served through the Live Server extension.

Critical Impact

Attackers can exfiltrate sensitive files from developers' local machines through a crafted HTML page when using the Live Server extension for web development.

Affected Products

  • Visual Studio Code Live Server Extension v5.7.9

Discovery Timeline

  • 2026-02-16 - CVE-2025-65717 published to NVD
  • 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2025-65717

Vulnerability Analysis

This vulnerability (CWE-79) represents a Cross-Site Scripting flaw in the Live Server extension, a popular Visual Studio Code extension used by developers to launch a local development server with live reload capability. The extension serves local files over HTTP, creating a potential attack surface when malicious HTML content is introduced.

The vulnerability allows attackers to craft malicious HTML pages that, when served through Live Server and interacted with by the user, can exfiltrate local files. This is particularly concerning for developers who may inadvertently open untrusted HTML files during their development workflow, potentially exposing source code, configuration files, or credentials stored locally.

Root Cause

The root cause stems from improper input validation and sanitization within the Live Server extension's handling of HTML content. The extension fails to adequately restrict or sanitize content served through its local development server, allowing malicious scripts embedded in HTML pages to execute with access to local file system resources. This lack of proper Content Security Policy enforcement and insufficient sandboxing enables cross-origin data exfiltration through crafted payloads.

Attack Vector

The attack requires a network-based approach where an attacker must convince a developer to open a malicious HTML file through the Live Server extension. The attack vector involves:

  1. The attacker creates a crafted HTML page containing malicious JavaScript
  2. The victim developer obtains or clones a project containing the malicious HTML file
  3. The developer uses Live Server to preview the HTML page during development
  4. User interaction with the page triggers the malicious payload
  5. The payload exploits the XSS vulnerability to read and exfiltrate local files to an attacker-controlled server

The vulnerability mechanism leverages the trusted context of the Live Server's local HTTP server to bypass browser security restrictions. When the malicious HTML page is served, it can execute scripts that access the local file system through various techniques enabled by the extension's permissive configuration, ultimately transmitting file contents to external endpoints.

For detailed technical analysis, see the Ox Security Blog Analysis.

Detection Methods for CVE-2025-65717

Indicators of Compromise

  • Unexpected outbound network connections from VS Code or Live Server processes to external domains
  • JavaScript payloads in HTML files attempting to access local file paths or use fetch/XMLHttpRequest to external endpoints
  • Unusual file read activity within the VS Code workspace during Live Server sessions
  • Network traffic containing base64-encoded file contents being transmitted externally

Detection Strategies

  • Monitor for VS Code extensions making unexpected external network connections
  • Implement network egress filtering to detect anomalous data exfiltration patterns from development environments
  • Scan HTML files in repositories for suspicious JavaScript patterns such as fetch() calls to external domains or file system access attempts
  • Use browser developer tools to inspect network activity when previewing untrusted HTML files

Monitoring Recommendations

  • Enable detailed logging for VS Code and extension activity during development sessions
  • Implement endpoint detection rules for unusual VS Code process behavior, particularly network activity
  • Review and audit third-party HTML/JavaScript files before previewing with Live Server
  • Configure network monitoring to alert on outbound connections from development tool processes to unknown external endpoints

How to Mitigate CVE-2025-65717

Immediate Actions Required

  • Update the Live Server extension to the latest available version from the VS Code Marketplace
  • Avoid opening untrusted HTML files with Live Server until a patch is confirmed
  • Review any recently cloned or downloaded projects for suspicious HTML or JavaScript content
  • Consider using alternative local development servers with stronger security controls for handling untrusted content

Patch Information

Check the GitHub Live Server Project for the latest security updates and patches addressing this vulnerability. Users should ensure they are running the most recent version of the extension and monitor the project's releases for security-related updates.

Workarounds

  • Disable the Live Server extension when not actively needed for trusted projects
  • Use browser DevTools Network tab to monitor for suspicious outbound requests when previewing HTML files
  • Implement a Content Security Policy header in your development environment to restrict script execution and external connections
  • Preview untrusted HTML files in an isolated browser sandbox or virtual machine environment
bash
# Configuration example - Disable Live Server extension when not in use
# In VS Code, you can disable extensions per workspace
# Press Ctrl+Shift+P (Cmd+Shift+P on Mac) and run:
# "Extensions: Disable (Workspace)" for Live Server

# Alternatively, configure VS Code to prompt before running Live Server on untrusted files
# Add to settings.json:
# "security.workspace.trust.enabled": true

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.