Microsoft has patched a path traversal vulnerability in the Visual Studio Code Live Preview extension that could enable attackers to read arbitrary files from a developer's machine. Tracked as CVE-2026-41612 and published on May 12, 2026, the flaw carries an Important severity rating and stems from improper handling of relative file paths during preview requests.

VS Code Live Preview, used by millions of web developers to render HTML and CSS in real-time, creates a local server that maps project files to a browser view. The vulnerability allows an attacker who can craft a malicious request to traverse outside the intended project directory, potentially disclosing sensitive configuration files, environment variables, or other system-level data.

How the Path Traversal Works

The extension runs an embedded HTTP server on a loopback address (typically localhost:3000) to serve content. When a browser requests a preview page, the server resolves file paths based on the requested URL. In versions prior to 0.4.19, the path resolution logic failed to properly sanitize sequences like ../, which escape the base directory.

An example malicious request might look like:

GET /../../../../../windows/win.ini HTTP/1.1
Host: localhost:3000

Such a request, if sent to the local preview server while Live Preview is running, could return the contents of win.ini — a file well outside the project workspace. Because the server binds only to localhost, a remote attacker must first gain the ability to send HTTP requests to the developer's local interface. This can occur through cross-site request forgery (CSRF) if the developer visits a malicious website, or via DNS rebinding attacks that trick the browser into treating a remote domain as localhost.

Impact and Attack Scenarios

The primary risk is information disclosure. Developers often store API keys, database credentials, SSH keys, and proprietary source code within their workspace or home directories. An attacker could enumerate and exfiltrate these files, leading to:

  • Credential leakage for cloud services, databases, and CI/CD pipelines
  • Source code theft, including unreleased intellectual property
  • Lateral movement if the compromised workstation has access to internal networks

While a direct exploit from the open internet requires the user to run Live Preview and be tricked into issuing a cross-origin request, the risk is elevated in shared development environments, co-working spaces, or when developers test on public Wi-Fi. Additionally, a malicious NPM package or compromised website could launch the attack silently.

CVSS Details and Severity

Microsoft assigned the vulnerability a CVSSv3 score of 7.5 (Important), with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N. The key factors:
- Attack Vector (AV): Network — exploitable over the network
- Attack Complexity (AC): Low — no special conditions required
- Privileges Required (PR): None — no authentication needed
- User Interaction (UI): Required — the victim must visit a malicious site or click a link
- Scope (S): Unchanged — the vulnerable component and impacted component are the same
- Confidentiality (C): High — full file access
- Integrity (I) and Availability (A): None

This scoring reflects the relative ease of exploitation once user interaction is achieved, balanced by the localhost constraint and the need for the extension to be active.

Affected Versions and Fix

All versions of the VS Code Live Preview extension prior to 0.4.19 are vulnerable. The extension is distributed through the Visual Studio Code Marketplace and is typically updated automatically. Microsoft released version 0.4.19 on May 12, 2026, which includes a patch that normalizes requested paths and rejects any traversal outside the project root.

Developers who have disabled automatic updates for extensions should manually update Live Preview immediately:
1. Open VS Code
2. Go to the Extensions view (Ctrl+Shift+X)
3. Search for "Live Preview"
4. Click the gear icon and select "Update" if available, or verify the version badge shows ≥0.4.19
5. Restart any active preview sessions

The update also implements additional hardening: a strict Content-Security-Policy header on preview responses and validation that all served files reside within the workspace directory tree.

Microsoft's Advisory and Mitigations

In their CVE announcement, Microsoft recommends immediate upgrade as the primary mitigation. For environments where the extension cannot be updated promptly, they suggest:
- Do not enable Live Preview while browsing untrusted websites or clicking unfamiliar links.
- Use a browser extension to block requests to localhost from online origins.
- Consider running Live Preview on a non-standard port behind a firewall that filters localhost traffic.

No workaround completely eliminates the risk; the root cause is a logic flaw that only the patch addresses.

Community and Developer Response

The vulnerability drew attention from security researchers who noted that similar path traversal issues have plagued development servers in Express.js, webpack-dev-server, and others. VS Code's extensive extension ecosystem—over 50,000 extensions—relies on a trust model where extensions run with the user's full privileges. This incident underscores the importance of reviewing extension permissions and keeping them updated.

Several developers on the VS Code subreddit expressed surprise that a Microsoft-authored extension would contain such a classic flaw. One commenter noted: "Path traversal in a preview server? That's Web Security 101. Glad they fixed it quickly." Others questioned whether automatic extension updates should be opt-out rather than opt-in, especially for widely used tools.

Security audits of popular extensions are becoming more common. In 2025, researchers found similar issues in GitHub Copilot Chat and Azure Tools extensions, prompting calls for mandatory code reviews before marketplace publication. This CVE may accelerate discussions around requiring sandboxed networking for extensions that spin up local servers.

Protecting Against Path Traversal in Extension Development

For extension authors, the fix in Live Preview serves as a textbook example of secure path resolution. The vulnerable code resolved a file path by concatenating the base directory with the user-supplied URL path, then checking if the result started with the base directory. This approach is too weak: on Windows, case-insensitive paths and shortcut files can bypass such checks.

A robust method uses path.resolve() in Node.js to normalize the requested path, combined with fs.realpath() to resolve symbolic links, then verifies the result is a descendant of the workspace root. The patched Live Preview does exactly this, and also rejects any request containing .. or %2e%2e after normalization.

Key takeaways for VS Code extension developers:
- Always normalize and resolve user-controlled paths before file access.
- Use libraries like serve-handler or safe-resolve that encapsulate safe logic.
- When binding a local server, listen only on 127.0.0.1 or localhost, never on 0.0.0.0.
- Mark the server as "local" in extension metadata so VS Code can apply network isolation in future updates.

What's Next for VS Code Security

Microsoft is investing in several areas to reduce extension-related risks:
- Extension Runtime Security: A new API is in preview that allows extensions to declare network access scopes, similar to Android permissions. Live Preview would declare "localhost-server" scope, and VS Code would intercept unauthorized external connections.
- Static Analysis in Marketplace: Plans to integrate CodeQL scanning for common vulnerability patterns (like path traversal) during extension submission, catching flaws before publication.
- User Notifications: In an upcoming VS Code release, when an extension creates a listening socket, the status bar will display a "Network Service" indicator with options to restrict or disable it.

These measures aim to balance developer flexibility with protection against the growing supply chain risks in development tools.

Conclusion and Recommendations

CVE-2026-41612 is a reminder that even well-established, first-party extensions can harbor critical bugs. The Live Preview path traversal could have exposed months of source code and infrastructure keys. Developers should:
1. Update to Live Preview 0.4.19 or later immediately.
2. Audit other extensions that create local servers—consider disabling them when not in use.
3. Never store raw secrets in project directories; use environment variables or secret managers.
4. Browse with caution: avoid clicking suspicious links while development servers are running.

The fix is quick and low-impact. Applying it now closes a significant avenue for targeted attacks against the software supply chain.