CVE-2025-6705

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-6705
A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the system’s build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled the publishing of new extension versions under any namespace, including those not controlled by an attacker. However, it did not permit deletion of existing extensions, overwriting of published versions, or access to administrative features of the registry. The issue was reported on May 4, 2025, fully resolved by June 24, and followed by a comprehensive audit. No evidence of compromise was found, though 81 extensions were proactively deactivated as a precaution. The standard publishing process remained unaffected. Recommendations have been issued to mitigate similar risks in the future.

5.3 /10

CVSS v3.0 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/EclipseFdn/publish-extensions/pull/881 Issue Tracking
https://open-vsx.org Product
Configurations

Configuration 1 (hide)

cpe:2.3:a:eclipse:open_vsx:-:*:*:*:*:*:*:*
History

31 Jul 2025, 16:12

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 5.3
First Time Eclipse open Vsx
Eclipse
CPE cpe:2.3:a:eclipse:open_vsx:-:*:*:*:*:*:*:*
References () https://open-vsx.org - () https://open-vsx.org - Product
References () https://github.com/EclipseFdn/publish-extensions/pull/881 - () https://github.com/EclipseFdn/publish-extensions/pull/881 - Issue Tracking

02 Jul 2025, 07:15

Type Values Removed Values Added
Summary On open-vsx.org https://open-vsx.org/  it was possible to run an arbitrary build scripts for auto-published extensions because of missing sandboxing of CI job runs. An attacker who had access to an existing extension could take over the service account of the marketplace. The issue has been fixed on June 24th, 2025 and the vulnerable code present in the publish-extension code repository. A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the system’s build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled the publishing of new extension versions under any namespace, including those not controlled by an attacker. However, it did not permit deletion of existing extensions, overwriting of published versions, or access to administrative features of the registry. The issue was reported on May 4, 2025, fully resolved by June 24, and followed by a comprehensive audit. No evidence of compromise was found, though 81 extensions were proactively deactivated as a precaution. The standard publishing process remained unaffected. Recommendations have been issued to mitigate similar risks in the future.

27 Jun 2025, 17:15

Type Values Removed Values Added
CWE CWE-653
CWE-913
Summary On open-vsx.org http://open-vsx.org/  it was possible to run an arbitrary build scripts for auto-published extensions because of missing sandboxing of CI job runs. An attacker who had access to an existing extension could take over the service account of the marketplace. The issue has been fixed on June 24th, 2025 and the vulnerable code present in the publish-extension code repository. On open-vsx.org https://open-vsx.org/  it was possible to run an arbitrary build scripts for auto-published extensions because of missing sandboxing of CI job runs. An attacker who had access to an existing extension could take over the service account of the marketplace. The issue has been fixed on June 24th, 2025 and the vulnerable code present in the publish-extension code repository.

27 Jun 2025, 15:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-27 15:15

Updated : 2025-07-31 16:12

NVD link : CVE-2025-6705

Mitre link : CVE-2025-6705

JSON object : View

Products Affected

eclipse

  • open_vsx
CWE

No CWE.