Description

A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the system’s build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled the publishing of new extension versions under any namespace, including those not controlled by an attacker. However, it did not permit deletion of existing extensions, overwriting of published versions, or access to administrative features of the registry. The issue was reported on May 4, 2025, fully resolved by June 24, and followed by a comprehensive audit. No evidence of compromise was found, though 81 extensions were proactively deactivated as a precaution. The standard publishing process remained unaffected. Recommendations have been issued to mitigate similar risks in the future.

INFO

Published Date :

2025-06-27T14:57:06.595Z

Last Modified :

2025-07-02T06:58:28.586Z

Source :

eclipse
AFFECTED PRODUCTS

The following products are affected by CVE-2025-6705 vulnerability.

Vendors Products
Eclipse
  • Open Vsx
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-6705.

URL Resource
https://github.com/EclipseFdn/publish-extensions/pull/881 cve-icon cve-icon
https://open-vsx.org cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact