Arbitrary Code Execution Vulnerability in Open-VSX Marketplace Extensions
CVE-2025-6705

7.6HIGH

Key Information:

Vendor: Eclipse Foundation
Status: Eclipse Open Vsx Registry
Vendor: CVE Published:; 27 June 2025

🔔 Create Eclipse Foundation Vulnerability Alert

What is CVE-2025-6705?

An issue in the Open-VSX marketplace allowed arbitrary build scripts to be executed for auto-published extensions due to a lack of proper sandboxing during CI job execution. This vulnerability enabled an attacker with access to an existing extension to potentially hijack the service account associated with the marketplace. The issue was addressed on June 24, 2025, after identifying and rectifying the vulnerable portions of the publish-extension code repository.

Affected Version(s)

Eclipse Open VSX Registry date < 20250624

References

https://open-vsx.org

product

https://github.com/EclipseFdn/publish-extensions/pull/881

patch

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Timeline

Vulnerability published
Jun 27, 2025
Vulnerability Reserved
Jun 26, 2025

Credit

Oren Yomtov

JSON