


















Researchers at OX Security have detected four vulnerabilities in three of the most popular integrated development environments (IDEs) that could lead to cyber-attacks.
In a report published on February 17, OX Security shared details about the four new flaws, including two high-severity and one critical, affecting Microsoft Visual Studio Code (VS Code).
These vulnerabilities also impact Cursor and Windsurf, two forks of VS Code that provide AI-assisted software development tools (aka ‘vibe coding’ platforms).
The affected extensions were collectively downloaded over 128 million times.
The researchers warned that despite disclosing the vulnerabilities to these platforms’ maintainers in July and August 2025 through multiple channels, including direct email, their GitHub pages and social networks, none have yet responded.
Three of the vulnerabilities were disclosed by MITRE on February 16 and allocated a common vulnerabilities and exposures (CVE) identifier.
The vulnerabilities described include:
While OX Security claims that the first three vulnerabilities remains unpatched, the researchers said Microsoft silently fixed the fourth on in version 0.4.16 of VS Code released in September 2025. MITRE did not disclose the fourth vulnerability and it has not been assigned any CVE identifier.
OX Security said that the research demonstrated that a malicious hacker only needs to exploit a single vulnerability within one extension to perform lateral movement and compromise entire organizations.
These vulnerabilities “expose a critical blind spot in modern development security,” said the researchers.
“While organizations invest heavily in securing production environments, the developer’s local machine remains a largely unprotected gateway to an organization’s most sensitive assets.”
The OX Security report provided two sets of recommendations for IDE and vibe coding tool users to mitigate such vulnerabilities.
The first list of recommendations are workaround implementations in order to keep using the affected extensions without being impacted by potential exploits:
In a second list of recommendations, the OX Security researchers outlined some general best practices for protecting IDEs:
Finally, the researchers also criticized the lack of response from extension maintainers despite months of responsible disclosure attempts through multiple channels.
“It underscores a systemic problem: there is no accountability framework for extension security and no incentive structure to ensure timely remediation of critical vulnerabilities,” they added.
They provided the maintainers of the affected extensions with some solutions to prevent such vulnerabilities to be exploited. These included:
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。