CVE-2025-6705
📋 TL;DR
A vulnerability in Eclipse Open VSX Registry's automated publishing system allowed unauthorized uploads of extensions due to insufficient isolation of build scripts. This exposed a privileged token enabling attackers to publish new extension versions under any namespace, potentially distributing malicious extensions. The vulnerability affected users of the Open VSX Registry who might install compromised extensions.
💻 Affected Systems
- Eclipse Open VSX Registry
📦 What is this software?
Open Vsx by Eclipse
⚠️ Risk & Real-World Impact
Worst Case
Attackers could publish malicious extensions under legitimate namespaces, leading to supply chain attacks where users unknowingly install compromised software with potential backdoors or malware.
Likely Case
Unauthorized publishing of extensions, potentially including malicious code, though limited to new versions (cannot overwrite existing versions or delete extensions).
If Mitigated
With proper access controls and script isolation, the vulnerability would be prevented, maintaining the integrity of the extension publishing process.
🎯 Exploit Status
Exploitation requires access to the build script environment and knowledge of the token exposure; no evidence of actual compromise was found.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed by June 24, 2025
Vendor Advisory: https://github.com/EclipseFdn/publish-extensions/pull/881
Restart Required: No
Instructions:
1. Update to the patched version of Eclipse Open VSX Registry. 2. Ensure build scripts are properly isolated. 3. Rotate any exposed tokens. 4. Conduct security audit as recommended.
🔧 Temporary Workarounds
Disable automated publishing
allTemporarily disable the vulnerable automated publishing system until patched.
# Configuration-dependent; consult system documentation
Implement script isolation
allManually enforce isolation for build scripts to prevent token exposure.
# Use containerization or sandboxing for build environments
🧯 If You Can't Patch
- Monitor for unauthorized extension uploads and review all new extensions manually.
- Implement strict access controls and audit logging for the publishing system.
🔍 How to Verify
Check if Vulnerable:
Check if using a version of Eclipse Open VSX Registry prior to the June 24, 2025 fix; review build script isolation and token handling.Check Version:
# Check registry version via administrative interface or configuration filesVerify Fix Applied:
Confirm update to post-June 24, 2025 version and verify build scripts are properly isolated with secure token management.📡 Detection & Monitoring
Log Indicators:
- Unauthorized extension uploads
- Unusual publishing activity from unexpected sources
- Failed isolation attempts in build logs
Network Indicators:
- Unexpected connections to publishing endpoints
- Anomalous traffic patterns during build processes
SIEM Query:
source="open-vsx" AND (event="extension_publish" AND user NOT IN allowed_users) OR (event="build_script_execution" AND isolation_failure=true)