Critical Flaws in Popular VSCode Extensions Expose Developers to File Theft and RCE

By Azhar Khan
Critical Flaws in Popular VSCode Extensions Expose Developers to File Theft and RCE

Security researchers have disclosed critical and high-severity vulnerabilities affecting widely used Visual Studio Code (VSCode) extensions, potentially exposing developers to local file theft and remote code execution (RCE). The impacted extensions collectively account for more than 128 million downloads, significantly amplifying the potential attack surface.

The findings were publicly released by Ox Security after the extension maintainers reportedly failed to respond to responsible disclosure attempts.

What the Vulnerabilities Enable

The disclosed flaws could allow attackers to:

  • Access and exfiltrate sensitive local files
  • Execute arbitrary code on a developer’s system
  • Abuse misconfigured extension permissions

Because VSCode extensions often operate with broad access to the local workspace, exploitation could expose source code, environment variables, API keys, SSH keys, and other sensitive development artifacts.

Attack Scenarios

Researchers warned that the vulnerabilities may be triggered when developers open untrusted HTML files or interact with locally hosted development servers (localhost). In such cases, malicious content could abuse extension functionality to escalate privileges or retrieve restricted files.

This risk is especially concerning in environments where developers test third-party code, web templates, or externally sourced projects.

Scale of Exposure

The affected extensions have been downloaded more than 128 million times combined, making the issue widespread across enterprise and individual developer environments.

Given VSCode’s popularity in both open-source and corporate ecosystems, compromised extensions could serve as a stepping stone for broader supply chain attacks.

Disclosure and Maintainer Response

Ox Security stated that it disclosed the vulnerabilities publicly after failing to receive responses from the maintainers within a reasonable timeframe. Public disclosure increases awareness but may also accelerate exploitation attempts if patches are not quickly issued.

Developer Mitigation Steps

Security experts recommend the following precautions:

  • Remove unnecessary or unused VSCode extensions
  • Avoid opening untrusted HTML files inside the editor
  • Exercise caution when running local development servers
  • Monitor for unexpected configuration or permission changes
  • Keep extensions and VSCode itself fully updated

A Broader Supply Chain Concern

The incident underscores the growing security risks associated with developer tooling ecosystems. Extensions often receive deep access to files, terminals, and system resources, making them high-value targets for attackers.

As development environments become increasingly modular and plugin-driven, maintaining strict oversight of installed extensions will be critical to reducing the risk of compromise.

Azhar Khan
Azhar Khan
Azhar is a seasoned Cybersecurity Professional with over 8 years of experience in Cybersecurity Research.