Visual Studio Code Live Server Extension File Exfiltration Vulnerability

A file exfiltration vulnerability has been identified in the Visual Studio Code Live Server extension, version 5.7.9. This issue allows attackers to access and steal files from a user's local machine through interaction with a malicious HTML page while the extension is active. The vulnerability arises because Live Server does not enforce Cross-Origin Resource Sharing (CORS) restrictions, enabling remote websites to make unauthorized requests to local files served by the extension.

Impact

Exploitation of this vulnerability could lead to unauthorized access and exfiltration of local files, including sensitive source code, credentials, and other personal data.

Reproduction

To reproduce this vulnerability, first install the Live Server extension in Visual Studio Code. Once installed, open a project and start the Live Server. Then, open a malicious HTML page in a web browser. The page can use JavaScript to access files on localhost, crawling and exfiltrating them to an attacker-controlled domain.