In PKCE, i understand that code_verifier is used to generate a code challenge and later this code_verifier value is verfied by authorization server to complete PKCE process.
How sensitive this code_verfier value is? Does this value has to be kept secret? What all attacks can an adversary perform if this value is leaked?
The code_verifier is sensitive indeed: it is the mechanism by which the Client proves in the call to the token endpoint that it was the one that initiated the Authorization Request in the first place.
This value should be kept secret, also see below.
Leaking it would allow an attacker the impersonate the (public) Client in the call to the token endpoint of the Authorization Server, thus obtain tokens that were intended for the real Client.
Note that even when not using any (hashing) transformation on the code_verifier but send it as plain in the code_challenge in the authorization request, it would still make it difficult for an attacker who is able to intercept the callback to the Redirect URI since he would also have to intercept the outgoing request.
But in general the code_verifier should be hashed with SHA256 into the code_challenge so even when intercepting the request, the attacker is not able to deduce the code_verifier.