CVE-2025-6705: CWE-913 Improper Control of Dynamically-Managed Code Resources in Eclipse Foundation Eclipse Open VSX Registry
A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the system’s build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled the publishing of new extension versions under any namespace, including those not controlled by an attacker. However, it did not permit deletion of existing extensions, overwriting of published versions, or access to administrative features of the registry. The issue was reported on May 4, 2025, fully resolved by June 24, and followed by a comprehensive audit. No evidence of compromise was found, though 81 extensions were proactively deactivated as a precaution. The standard publishing process remained unaffected. Recommendations have been issued to mitigate similar risks in the future.
AI Analysis
Technical Summary
CVE-2025-6705 is a high-severity vulnerability affecting the Eclipse Foundation's OpenVSX marketplace platform, specifically versions prior to June 24, 2025. The vulnerability stems from improper control of dynamically-managed code resources (CWE-913) and relates to missing sandboxing in the continuous integration (CI) job runs responsible for auto-publishing extensions on open-vsx.org. Because the CI jobs that build and publish extensions were not properly sandboxed, an attacker who had access to an existing extension could inject and execute arbitrary build scripts. This capability allows the attacker to escalate privileges by taking over the service account used by the marketplace, effectively gaining control over the OpenVSX publishing infrastructure. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity, though it requires some privileges (access to an existing extension). The CVSS 4.0 score of 7.6 reflects the high confidentiality and integrity impact due to potential full compromise of the marketplace service account, which could lead to malicious extension publication or disruption of the marketplace. The vulnerability was publicly disclosed shortly after being fixed on June 24, 2025, and no known exploits have been reported in the wild as of the publication date. The root cause is the lack of sandboxing in the CI pipeline, allowing untrusted code execution during extension publishing.
Potential Impact
For European organizations, the impact of this vulnerability is significant, especially for software developers, enterprises, and organizations relying on OpenVSX for extension management and distribution. Compromise of the OpenVSX marketplace service account could lead to unauthorized publication of malicious extensions, which may be downloaded and installed by developers and organizations, potentially leading to widespread supply chain attacks. This could result in data breaches, intellectual property theft, insertion of backdoors, or disruption of development workflows. Additionally, organizations that integrate OpenVSX extensions into their CI/CD pipelines or development environments may face integrity and availability risks. The vulnerability undermines trust in the extension ecosystem and could have cascading effects on software supply chains across Europe, particularly in sectors with high reliance on open-source tooling such as finance, telecommunications, and government agencies.
Mitigation Recommendations
To mitigate this vulnerability, affected organizations and users should immediately update OpenVSX to the fixed version released on or after June 24, 2025. Beyond patching, it is critical to implement strict sandboxing and isolation controls for CI job executions to prevent arbitrary code execution. Organizations operating their own OpenVSX instances should audit their CI pipelines to ensure build scripts run with least privilege and in isolated environments. Access controls should be tightened to restrict who can publish or modify extensions, and multi-factor authentication should be enforced for service accounts. Monitoring and logging of CI job activities should be enhanced to detect anomalous behavior indicative of exploitation attempts. Additionally, organizations should review and validate extensions before installation, employing code signing and integrity verification mechanisms to reduce risk from compromised extensions. Finally, security awareness training for developers on supply chain risks is recommended.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy
CVE-2025-6705: CWE-913 Improper Control of Dynamically-Managed Code Resources in Eclipse Foundation Eclipse Open VSX Registry
Description
A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the system’s build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled the publishing of new extension versions under any namespace, including those not controlled by an attacker. However, it did not permit deletion of existing extensions, overwriting of published versions, or access to administrative features of the registry. The issue was reported on May 4, 2025, fully resolved by June 24, and followed by a comprehensive audit. No evidence of compromise was found, though 81 extensions were proactively deactivated as a precaution. The standard publishing process remained unaffected. Recommendations have been issued to mitigate similar risks in the future.
AI-Powered Analysis
Technical Analysis
CVE-2025-6705 is a high-severity vulnerability affecting the Eclipse Foundation's OpenVSX marketplace platform, specifically versions prior to June 24, 2025. The vulnerability stems from improper control of dynamically-managed code resources (CWE-913) and relates to missing sandboxing in the continuous integration (CI) job runs responsible for auto-publishing extensions on open-vsx.org. Because the CI jobs that build and publish extensions were not properly sandboxed, an attacker who had access to an existing extension could inject and execute arbitrary build scripts. This capability allows the attacker to escalate privileges by taking over the service account used by the marketplace, effectively gaining control over the OpenVSX publishing infrastructure. The vulnerability does not require user interaction and can be exploited remotely over the network with low attack complexity, though it requires some privileges (access to an existing extension). The CVSS 4.0 score of 7.6 reflects the high confidentiality and integrity impact due to potential full compromise of the marketplace service account, which could lead to malicious extension publication or disruption of the marketplace. The vulnerability was publicly disclosed shortly after being fixed on June 24, 2025, and no known exploits have been reported in the wild as of the publication date. The root cause is the lack of sandboxing in the CI pipeline, allowing untrusted code execution during extension publishing.
Potential Impact
For European organizations, the impact of this vulnerability is significant, especially for software developers, enterprises, and organizations relying on OpenVSX for extension management and distribution. Compromise of the OpenVSX marketplace service account could lead to unauthorized publication of malicious extensions, which may be downloaded and installed by developers and organizations, potentially leading to widespread supply chain attacks. This could result in data breaches, intellectual property theft, insertion of backdoors, or disruption of development workflows. Additionally, organizations that integrate OpenVSX extensions into their CI/CD pipelines or development environments may face integrity and availability risks. The vulnerability undermines trust in the extension ecosystem and could have cascading effects on software supply chains across Europe, particularly in sectors with high reliance on open-source tooling such as finance, telecommunications, and government agencies.
Mitigation Recommendations
To mitigate this vulnerability, affected organizations and users should immediately update OpenVSX to the fixed version released on or after June 24, 2025. Beyond patching, it is critical to implement strict sandboxing and isolation controls for CI job executions to prevent arbitrary code execution. Organizations operating their own OpenVSX instances should audit their CI pipelines to ensure build scripts run with least privilege and in isolated environments. Access controls should be tightened to restrict who can publish or modify extensions, and multi-factor authentication should be enforced for service accounts. Monitoring and logging of CI job activities should be enhanced to detect anomalous behavior indicative of exploitation attempts. Additionally, organizations should review and validate extensions before installation, employing code signing and integrity verification mechanisms to reduce risk from compromised extensions. Finally, security awareness training for developers on supply chain risks is recommended.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- eclipse
- Date Reserved
- 2025-06-26T10:19:23.466Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 685eb4266f40f0eb7263ec9a
Added to database: 6/27/2025, 3:09:26 PM
Last enriched: 6/27/2025, 3:24:30 PM
Last updated: 7/28/2025, 12:02:07 AM
Views: 25
Related Threats
CVE-2025-50578: n/a
CriticalCVE-2025-8292: Use after free in Google Chrome
HighCVE-2025-53944: CWE-285: Improper Authorization in Significant-Gravitas AutoGPT
HighCVE-2025-54573: CWE-287: Improper Authentication in cvat-ai cvat
MediumCVE-2025-43018: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor in HP, Inc. Certain HP LaserJet Pro Printers
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.