A newly discovered vulnerability, CVE-2025-47269, has raised serious security concerns for users of Code-Server, a tool that allows developers to run Visual Studio Code (VS Code) directly in the browser. With a CVSS score of 8.3, this vulnerability is classified as high severity and requires immediate action from all users.

code-server is a widely popular open-source project that brings the power of desktop VS Code to the web, giving developers the flexibility to write and manage code remotely on any device. However, this convenience can come at a cost when security bugs are present.

The core issue lies in how code-server handles something called the proxy subpath. This feature is intended to help developers access services running on their local machine via the browser. Unfortunately, the implementation of this feature lacks proper checks, particularly around how port numbers and domain names are handled in URLs.

An attacker can craft a malicious URL. When this URL is clicked, code-server may accidentally proxy the request to test@evil.com/path a server controlled by the attacker. Since the user’s session cookie is included in the request, the attacker can intercept it. That cookie is like a digital key; if someone gets it, they can unlock the full session.

With access to the session token, the attacker can log into the code-server instance without any password or login step, just like the real user. From there, they can:

• Read, edit, or delete source code
• Upload or install malicious files or software
• Gain access to the server environment running code-server
• Use the machine to attack other systems in the network

In simple terms, this vulnerability allows a malicious actor to take full control of a developer’s working environment, a major risk for both individual users and organizations using Code-Server in production environments.