Eclipse Open VSX: Unauthorized Extension Uploads via Unisolated Build Scripts
CVE-2025-6705 Published on June 27, 2025

A vulnerability in the Eclipse Open VSX Registrys automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the systems build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled the publishing of new extension versions under any namespace, including those not controlled by an attacker. However, it did not permit deletion of existing extensions, overwriting of published versions, or access to administrative features of the registry. The issue was reported on May 4, 2025, fully resolved by June 24, and followed by a comprehensive audit. No evidence of compromise was found, though 81 extensions were proactively deactivated as a precaution. The standard publishing process remained unaffected. Recommendations have been issued to mitigate similar risks in the future.

NVD

Weakness Types

Improper Control of Dynamically-Managed Code Resources

The software does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements. Many languages offer powerful features that allow the programmer to dynamically create or modify existing code, or resources used by code such as variables and objects. While these features can offer significant flexibility and reduce development time, they can be extremely dangerous if attackers can directly influence these code resources in unexpected ways.

What is a Separation of Privilege Vulnerability?

The product does not sufficiently compartmentalize functionality or processes that require different privilege levels, rights, or permissions. When a weakness occurs in functionality that is accessible by lower-privileged users, then without strong boundaries, an attack might extend the scope of the damage to higher-privileged users.

CVE-2025-6705 has been classified to as a Separation of Privilege vulnerability or weakness.


Products Associated with CVE-2025-6705

Want to know whenever a new CVE is published for Eclipse Open Vsx? stack.watch will email you.

Eclipse Open Vsx
 

Affected Versions

Eclipse Foundation Eclipse Open VSX Registry Version date < 20250624 is affected by CVE-2025-6705

Exploit Probability

EPSS
0.04%
Percentile
12.90%

EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.