CVE-2025-65717 in vscode-live-server
Summary
by MITRE • 02/16/2026
An issue in Visual Studio Code Extensions Live Server v5.7.9 allows attackers to exfiltrate files via user interaction with a crafted HTML page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified as CVE-2025-65717 resides within the Visual Studio Code Extensions Live Server version 5.7.9, representing a critical security flaw that enables remote attackers to perform unauthorized file exfiltration through malicious web page interactions. This issue specifically targets the live server extension functionality that allows developers to serve local files over HTTP for testing purposes, creating a dangerous attack vector when users interact with crafted HTML content.
The technical implementation of this vulnerability stems from insufficient input validation and improper handling of file paths within the live server extension's web serving capabilities. When a user opens a malicious HTML page that triggers the live server extension, the extension fails to properly sanitize file system access requests, allowing attackers to craft specific HTML content that can traverse the file system and retrieve sensitive data from the user's local environment. This flaw operates under the principle of path traversal attacks, where malicious input bypasses normal file access controls to access restricted directories and files.
The operational impact of CVE-2025-65717 extends beyond simple data theft, as it represents a sophisticated attack method that leverages the trust users place in local development environments. Attackers can construct HTML pages that appear legitimate to developers, exploiting the fact that many developers frequently interact with local web servers during development. The vulnerability enables extraction of source code files, configuration settings, credentials stored in local files, and potentially sensitive project data that could compromise entire development workflows and corporate intellectual property. This attack vector is particularly dangerous in enterprise environments where developers may have access to sensitive corporate data through their local development setups.
The security implications of this vulnerability align with CWE-22 Path Traversal and CWE-79 Cross-Site Scripting, as the attack combines file system traversal with malicious script execution in web contexts. From an attack framework perspective, this vulnerability maps to the ATT&CK technique T1566 Phishing and T1059 Command and Scripting Interpreter, as it relies on user interaction with malicious content to execute file access operations. The attack chain typically involves crafting a deceptive HTML page that when opened in a browser with the live server extension active, triggers the file exfiltration process. Organizations should consider this vulnerability as part of a broader attack surface that includes developer tool security, particularly focusing on the trust model between development tools and local file systems.
Mitigation strategies for CVE-2025-65717 require immediate attention from development teams, including updating to the latest version of the Live Server extension where the vulnerability has been patched. System administrators should implement network monitoring to detect unusual file access patterns from development environments and establish security policies that restrict the use of local web servers with elevated privileges. Additionally, developers should be educated about the risks of opening untrusted HTML content in development environments, and organizations should consider implementing application whitelisting controls to prevent unauthorized extensions from executing file system operations. The vulnerability underscores the importance of securing development toolchains and highlights the need for comprehensive security testing of development environment components that interact with local file systems.