Visual Studio Code Extension Code Runner allows code execution from crafted workspaces

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.8

Visual Studio Code Extension Code Runner allows code execution from crafted workspaces

CVE-2025-65715

Summary

Attackers can execute arbitrary code when opening a specially crafted workspace in Code Runner, a Visual Studio Code extension. This allows them to potentially steal data, install malware, or take control of the system. Update to the latest version of Code Runner to fix this issue.

What to do

No fix is available yet. Check with your software vendor for updates.

Affected software

Vendor	Product	Affected versions	Fix available
formulahendry	coderunner	> 0.12.2	–

Original title

An issue in the code-runner.executorMap setting of Visual Studio Code Extensions Code Runner v0.12.2 allows attackers to execute arbitrary code when opening a crafted workspace.

Original description

An issue in the code-runner.executorMap setting of Visual Studio Code Extensions Code Runner v0.12.2 allows attackers to execute arbitrary code when opening a crafted workspace.

nvd CVSS3.1 7.8

Vulnerability type

CWE-94 Code Injection

https://github.com/formulahendry/vscode-code-runner Exploit
https://www.ox.security/blog/cve-2025-65715-code-runner-vscode-rce/ Exploit Third Party Advisory

Published: 16 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026