XSS Bug in VS Code Extension Exposed Local Files | eSecurity Planet

XSS Bug in VS Code Extension Exposed Local Files

An XSS flaw in the VS Code Live Preview extension exposed developers’ local files and credentials through the localhost server.

Written By
Ken Underhill
Ken Underhill
Feb 18, 2026
3 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

A widely used Microsoft Visual Studio Code (VS Code) extension quietly exposed millions of developers to potential local file exfiltration through a cross-site scripting (XSS) flaw. 

The issue affected the official Live Preview extension — downloaded more than 11 million times — and allowed malicious websites to interact with a developer’s localhost environment. 

An “… unauthenticated request from a malicious website can enumerate internal root files on the developer’s machine running the Live Preview server,” said OX Security researchers.

Inside the VS Code XSS Flaw

Live Preview is an official Microsoft VS Code extension that allows developers to render and test web applications locally without leaving the IDE. 

To enable this functionality, the extension runs an embedded HTTP server on the developer’s machine, typically accessible through a localhost address. 

While this architecture streamlines development workflows, it also means the extension processes web requests and interacts directly with the local filesystem — making secure input handling essential. 

The issue stemmed from improper handling of untrusted input within the Live Preview server. 

Specifically, in “page not exist” scenarios, a parameter called relativePathFormatted was reflected back to the browser without proper sanitization. 

Because the value was not escaped, attackers could inject a crafted JavaScript payload into the response, resulting in a reflected XSS vulnerability.

In practice, if a developer had Live Preview running and visited a malicious or compromised website, that site could send unauthenticated HTTP requests to the local Live Preview server. 

Due to the XSS condition, injected scripts could execute within the context of the trusted localhost service. This effectively allowed external web content to interact with internal development resources.

Researchers demonstrated that this behavior could enable attackers to enumerate internal root directories, access sensitive local files such as .env configuration files, extract API keys and passwords, and retrieve proprietary source code. 

All versions of Live Preview up to 0.4.16 are affected by the vulnerability.

Microsoft has since addressed the issue, in its latest patch, by properly sanitizing the affected input, but any system running an outdated version remains exposed to potential data exfiltration.

Mitigating Risk in Development Environments

Organizations should secure developer environments by applying updates and implementing additional hardening measures to reduce exposure. 

Because development workstations often store source code and credentials, strengthening local security controls can help limit the impact of similar vulnerabilities.

  • Update to the latest Live Preview extension version and maintain a disciplined patch management program for IDEs, extensions, operating systems, and dependencies.
  • Reduce attack surface by disabling or uninstalling non-essential VS Code extensions and turning off local development servers when not actively in use.
  • Restrict access to localhost-based services using host firewalls, network segmentation, and controls that limit cross-origin requests to local resources.
  • Implement network egress filtering and DNS monitoring to detect or block suspicious outbound connections from developer workstations.
  • Strengthen endpoint security by deploying EDR tools that monitor abnormal localhost activity, unexpected file access, and unusual script execution.
  • Protect sensitive data by using secure secret management solutions instead of storing credentials in plaintext files such as .env configurations.
  • Regularly test and update incident response plans to ensure rapid detection, containment, and credential rotation if developer environments are compromised.

Together, these measures help limit the potential blast radius of a compromised development environment while building long-term resilience against similar threats.

Advertisement

Local Development Tools and Security Risks

This incident underscores the security considerations that come with modern development tools, particularly when features like embedded local servers interact with the local filesystem. 

With IDE extensions continuing to add new functionality, organizations should apply consistent security controls to developer workstations, similar to those used for other sensitive systems.

As risk increases across digital ecosystems, organizations are adopting zero-trust solutions to reduce implicit trust between applications, users, and local resources.

Ken Underhill

Ken Underhill is an award-winning cybersecurity professional, bestselling author, and seasoned IT professional. He holds a graduate degree in cybersecurity and information assurance from Western Governors University and brings years of hands-on experience to the field.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.