diff --git a/CHANGELOG.md b/CHANGELOG.md
index f17c0568c..ecb552aaf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,8 @@ All notable changes to the "prettier-vscode" extension will be documented in thi
 
 ## [Unreleased]
 
+- **Security**: Fixed config resolution in untrusted workspaces to prevent JavaScript config files (`.prettierrc.js`, `prettier.config.js`, etc.) from being executed. Previously, even when workspace trust was enforced for module resolution, Prettier's config resolution could still `require()`/`import()` JS config files, allowing arbitrary code execution. Reported by Hector Ruiz Ruiz.
+
 ## [12.3.0]
 
 - Watch `.prettierignore` for changes to invalidate cache (#3942)
diff --git a/src/ModuleResolverNode.ts b/src/ModuleResolverNode.ts
index afba04b7c..fd832800d 100644
--- a/src/ModuleResolverNode.ts
+++ b/src/ModuleResolverNode.ts
@@ -15,6 +15,7 @@ import {
   INVALID_PRETTIER_CONFIG,
   INVALID_PRETTIER_PATH_MESSAGE,
   OUTDATED_PRETTIER_VERSION_MESSAGE,
+  UNTRUSTED_WORKSPACE_SKIPPING_CONFIG,
   UNTRUSTED_WORKSPACE_USING_BUNDLED_PRETTIER,
   USING_BUNDLED_PRETTIER,
 } from "./message.js";
@@ -402,6 +403,18 @@ export class ModuleResolver implements ModuleResolverInterface {
     fileName: string,
     vscodeConfig: PrettierVSCodeConfig,
   ): Promise<"error" | "disabled" | PrettierOptions | null> {
+    // In untrusted workspaces, skip config resolution entirely.
+    // Prettier's resolveConfigFile/resolveConfig can execute JS config files
+    // (.prettierrc.js, prettier.config.js, etc.) which would allow arbitrary
+    // code execution.
+    if (!workspace.isTrusted) {
+      this.loggingService.logDebug(UNTRUSTED_WORKSPACE_SKIPPING_CONFIG);
+      if (vscodeConfig.requireConfig) {
+        return "disabled";
+      }
+      return null;
+    }
+
     let configPath: string | undefined;
     try {
       configPath =
diff --git a/src/message.ts b/src/message.ts
index 53e4b8826..ad0b5d92a 100644
--- a/src/message.ts
+++ b/src/message.ts
@@ -13,3 +13,5 @@ export const EXTENSION_DISABLED =
   "Extension is disabled. No formatters will be registered. To enable, change the `prettier.enable` to `true` and restart VS Code.";
 export const UNTRUSTED_WORKSPACE_USING_BUNDLED_PRETTIER =
   "This workspace is not trusted. Using the bundled version of prettier.";
+export const UNTRUSTED_WORKSPACE_SKIPPING_CONFIG =
+  "Skipping Prettier config resolution in untrusted workspace. Config files are not loaded for security.";