OpenVSX 0.9.00.20.0: namespace API leaks privilege escalation
CVE-2025-1007 Published on February 19, 2025
Improper Authorization in /user/namespace/{namespace}/details
In OpenVSX version v0.9.0 to v0.20.0, the
/user/namespace/{namespace}/details API allows a user to edit all
namespace details, even if the user is not a namespace Owner or
Contributor. The details include: name, description, website, support
link and social media links. The same issues existed in
/user/namespace/{namespace}/details/logo and allowed a user to change
the logo.
Weakness Types
What is an AuthZ Vulnerability?
The software does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CVE-2025-1007 has been classified to as an AuthZ vulnerability or weakness.
Unverified Ownership
The software does not properly verify that a critical resource is owned by the proper entity.
Products Associated with CVE-2025-1007
Want to know whenever a new CVE is published for Eclipse Open Vsx? stack.watch will email you.
Affected Versions
Eclipse Foundation OpenVSX:- Version 0.9.0, <= 0.20.0 is affected.
- Version 0.19.1 is unaffected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.