CVE-2025-6705 is a high-severity vulnerability affecting the Eclipse Foundation's OpenVSX marketplace platform, specifically versions prior to June 24, 2025. The vulnerability stems from improper control of dynamically-managed code resources (CWE-913) and relates to missing sandboxing in the continuous integration (CI) job runs responsible for auto-publishing extensions on open-vsx.org. Because the CI jobs that build and publish extensions were not properly sandboxed, an attacker who had access to an existing extension could inject and execute arbitrary build scripts. This capability allows the attacker to escalate privileges by taking over the service account used by the marketplace, effectively gaining control over the OpenVSX publishing infrastructure. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity, though it requires some privileges (access to an existing extension). The CVSS 4.0 score of 7.6 reflects the high confidentiality and integrity impact due to potential full compromise of the marketplace service account, which could lead to malicious extension publication or disruption of the marketplace. The vulnerability was publicly disclosed shortly after being fixed on June 24, 2025, and no known exploits have been reported in the wild as of the publication date. The root cause is the lack of sandboxing in the CI pipeline, allowing untrusted code execution during extension publishing.

For European organizations, the impact of this vulnerability is significant, especially for software developers, enterprises, and organizations relying on OpenVSX for extension management and distribution. Compromise of the OpenVSX marketplace service account could lead to unauthorized publication of malicious extensions, which may be downloaded and installed by developers and organizations, potentially leading to widespread supply chain attacks. This could result in data breaches, intellectual property theft, insertion of backdoors, or disruption of development workflows. Additionally, organizations that integrate OpenVSX extensions into their CI/CD pipelines or development environments may face integrity and availability risks. The vulnerability undermines trust in the extension ecosystem and could have cascading effects on software supply chains across Europe, particularly in sectors with high reliance on open-source tooling such as finance, telecommunications, and government agencies.

To mitigate this vulnerability, affected organizations and users should immediately update OpenVSX to the fixed version released on or after June 24, 2025. Beyond patching, it is critical to implement strict sandboxing and isolation controls for CI job executions to prevent arbitrary code execution. Organizations operating their own OpenVSX instances should audit their CI pipelines to ensure build scripts run with least privilege and in isolated environments. Access controls should be tightened to restrict who can publish or modify extensions, and multi-factor authentication should be enforced for service accounts. Monitoring and logging of CI job activities should be enhanced to detect anomalous behavior indicative of exploitation attempts. Additionally, organizations should review and validate extensions before installation, employing code signing and integrity verification mechanisms to reduce risk from compromised extensions. Finally, security awareness training for developers on supply chain risks is recommended.