Eclipse Open VSX Registry Unauthorized Extension Upload Vulnerability

A vulnerability in the Eclipse Open VSX Registry's automated publishing system could have allowed unauthorized uploads of extensions. The issue arose because the system's build scripts were executed without proper isolation, potentially exposing a privileged token that enabled the publishing of new extension versions under any namespace, including those not controlled by the attacker. However, the vulnerability did not allow for the deletion of existing extensions, overwriting of published versions, or access to administrative features of the registry. The problem was reported on May 4, 2025, and fully resolved by June 24, 2025, following a comprehensive audit. No evidence of compromise was found, although 81 extensions were proactively deactivated as a precaution.

Impact

Exploitation of this vulnerability could have led to unauthorized uploads of extensions, potentially allowing malicious actors to publish harmful or disruptive content under various namespaces.

Reproduction

The vulnerability could be reproduced by uploading an extension through the automated publishing system without proper authorization, taking advantage of the exposed privileged token that was not adequately isolated during the build process.

Remediation

The vulnerability has been addressed by modifying the publishing workflow to use separate jobs instead of child processes, allowing for better isolation and security. Users are advised to follow the latest guidelines and practices for extension publishing to avoid similar vulnerabilities in the future.