CVE-2025-6705 — MEDIUM (5.3)

Vulnerability Description

A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the system’s build scripts were executed without proper isolation, potentially exposing a privileged token. This token enabled the publishing of new extension versions under any namespace, including those not controlled by an attacker. However, it did not permit deletion of existing extensions, overwriting of published versions, or access to administrative features of the registry. The issue was reported on May 4, 2025, fully resolved by June 24, and followed by a comprehensive audit. No evidence of compromise was found, though 81 extensions were proactively deactivated as a precaution. The standard publishing process remained unaffected. Recommendations have been issued to mitigate similar risks in the future.

CVSS Score

5.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

NONE

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Eclipse	Open Vsx	-

Related Weaknesses (CWE)

CWE-913 CWE-653

References

https://github.com/EclipseFdn/publish-extensions/pull/881Issue Tracking
https://open-vsx.orgProduct

FAQ

What is CVE-2025-6705?

CVE-2025-6705 is a vulnerability with a CVSS score of 5.3 (MEDIUM). A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized uploads of extensions. Specifically, the system’s build scripts were executed without pro...

How severe is CVE-2025-6705?

CVE-2025-6705 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-6705?

Check the references section above for vendor advisories and patch information. Affected products include: Eclipse Open Vsx.