Remote Code Execution Vulnerability in Visual Studio Code Extensions by Formulahendry
CVE-2025-65715

7.8HIGH

Key Information:

Vendor

Formulahendry

Status
Code Runner
Vendor
CVE Published:
16 February 2026

Badges

đź‘ľ Exploit Existsđź“° News Worthy

What is CVE-2025-65715?

A vulnerability exists in the Code Runner module of Visual Studio Code Extensions, specifically within the code-runner.executorMap setting. This flaw allows malicious actors to execute arbitrary code on a user's machine when a specially crafted workspace is opened. The potential for exploitation means that users must be vigilant about the extensions they install and workspaces they engage with to mitigate possible security risks.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

News Articles

favicon imageBleepingComputer

Flaws in popular VSCode extensions expose developers to attacks

Vulnerabilities with high to critical severity ratings affecting popular Visual Studio Code (VSCode) extensions collectively downloaded more than 128 million times could be exploited to steal local files and execute code remotely.

1 week ago

References

https://github.com/formulahendry/vscode-code-runner
https://www.ox.security/blog/cve-2025-65715-code-runner-v...

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • đź‘ľ

    Exploit known to exist

  • đź“°

    First article discovered by BleepingComputer

  • Vulnerability published

  • Vulnerability Reserved

JSON
.