Microsoft has released a new update for Visual Studio Code 1.106, focusing on fixing a critical security vulnerability in the V8 JavaScript engine. The issue, referred to as Type Confusion and identified by CVE-2025-13223, allowed potentially malicious HTML content to trigger heap corruption and compromise systems remotely. This patch addresses a hole in the code base related to older versions of V8, up to 142.0.7444.175. The update is important for developers who rely on VS Code daily, especially those using Node.js-based tools, as it helps keep their environment safer from potential attacks.

Visual Studio Code 1.106.1 released

Earlier today, Microsoft released a new update for Visual Studio Code 1.106. While not exactly packed with groundbreaking new features this time around (at least none labeled as such), the primary focus is on fixing a security vulnerability in the underlying V8 JavaScript engine.

This specific fix addresses an issue known as Type Confusion within V8, identified via CVE-2025-13223. The problem potentially allowed a remote attacker to compromise systems by supplying specially crafted HTML content that could trigger heap corruption. Essentially, this patch plugs a hole in the code base related to older versions of V8, up to 142.0.7444.175.

It's an important release for developers who rely on VS Code daily and use Node.js-based tools. The team behind it has clearly prioritized security again, tackling this specific problem head-on. This kind of proactive patching helps keep the environment safer overall by reducing potential attack vectors that could affect user data or system stability.

Release October 2025 Recovery 1

The update addresses these issues. For the complete release notes go to Updates on code.visualstudio.com.

Release October 2025 Recovery 1 · microsoft/vscode