SecuriTricks - CVE-2025-6705

Description

On open-vsx.org https://open-vsx.org/ it was possible to run an arbitrary build scripts for auto-published extensions because of missing sandboxing of CI job runs. An attacker who had access to an existing extension could take over the service account of the marketplace. The issue has been fixed on June 24th, 2025 and the vulnerable code present in the publish-extension code repository.

Product(s) Impacted

Vendor	Product	Versions
Eclipse	Open-vsx	*

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-653

Improper Isolation or Compartmentalization

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

*CPE(s)

Affected systems and software identified for this CVE.

Type	Vendor	Product	Version	Update	Edition	Language	Software Edition	Target Software	Target Hardware	Other Information
a	eclipse	open-vsx	/	/	/	/	/	/	/	/

References

https://github.com/EclipseFdn/publish-extensions/pull/881

https://open-vsx.org

CVSS Score

7.6 / 10

CVSS Data - 4.0

Attack Vector: NETWORK
Attack Complexity: LOW
Attack Requirements: PRESENT
Privileges Required: LOW
User Interaction: NONE
Scope:
Confidentiality Impact: HIGH
Integrity Impact: HIGH
Availability Impact: NONE
Exploit Maturity: NOT_DEFINED

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

View Vector String

Timeline

Published: June 27, 2025, 3:15 p.m.
Last Modified: June 27, 2025, 5:15 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

emo@eclipse.org

CVE-2025-6705