CVE-2025-65717: [PoC]

Overview

A critical security vulnerability has been identified in the popular “Live Server” extension for Visual Studio Code. This extension, used by developers to launch a local development web server with live reload capability, contains a flaw that could allow an attacker to steal sensitive files from a developer’s computer.

Vulnerability in Simple Terms

When a developer uses the affected version of the Live Server extension, it starts a local web server to preview their project. Due to a flaw in this version, if a developer is tricked into opening a specially crafted HTML page with this server running, that malicious page can silently send files from the developer’s project directory-and potentially other accessible locations-to an attacker-controlled server. This exploitation requires the developer to interact with the page (e.g., click on it), but no further warnings are given.

Potential Impact

The impact of this vulnerability is severe. Successful exploitation could lead to:

• Source Code Theft: Exfiltration of proprietary application source code, intellectual property, or internal tools.
• Credential Leakage: Theft of configuration files that may contain API keys, database passwords, or other secrets often stored within project directories.
• Data Breach: Unauthorized access to sensitive data files being used in the development or testing environment. The high severity score (CVSS 9.1) reflects the low attack complexity and the high potential for loss of confidentiality.

Remediation and Mitigation Advice

Immediate action is required to secure development environments.

1. Update Immediately: The primary fix is to update the Live Server extension to the latest version. The extension maintainer has released a patched version. Open VS Code, go to the Extensions view (Ctrl+Shift+X), find “Live Server,” and ensure it is updated to version 5.7.10 or later.

2. Mitigation for Unpatched Systems: If updating is not immediately possible, the risk can be significantly reduced by:

   • Stopping the Live Server when it is not actively needed for previewing work.
   • Avoiding Unknown HTML Files: Do not open or preview HTML files from untrusted sources while the Live Server is active.
   • Using Alternative Tools: Consider temporarily using a different local development server or VS Code extension until the update can be applied.

3. General Security Hygiene:

   • Regularly audit project folders for sensitive files like .env files or private keys. Use .gitignore appropriately.
   • Consider using secret management tools instead of storing credentials in plain text within project directories.

All developers and IT administrators managing development workstations should verify the extension version and apply this update as a critical priority.