CVE-2025-6705: Critical CI Job Sandboxing Vulnerability in open-vsx.org
A critical security vulnerability, CVE-2025-6705, has been identified in open-vsx.org, an open-source marketplace for VS Code extensions. This flaw allowed for the execution of arbitrary build scripts due to missing sandboxing of CI job runs. This could lead to a malicious actor gaining control over the marketplace's service account.
🔍 TL;DR Summary
CVE-2025-6705 describes a vulnerability in open-vsx.org where insufficient CI job sandboxing enabled attackers with access to an existing extension to execute arbitrary build scripts and potentially take over the marketplace service account. The issue was resolved on June 24th, 2025. Users of the open-vsx.org platform should be aware of the potential risks and ensure their extensions are secure.
🚨 Vulnerability Details
CVE ID
CVE-2025-6705
Description
The open-vsx.org platform was susceptible to arbitrary build script execution due to the absence of proper sandboxing for Continuous Integration (CI) job runs. An attacker possessing access to an existing extension could exploit this flaw to compromise the marketplace's service account.
CVSS Score and Vector
CVSS v4.0: 7.6 (HIGH)
Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Explanation: This CVSS vector indicates a high severity vulnerability exploitable over the network with low attack complexity. An attacker needs to have some privileges (access to an existing extension) but no user interaction is required. Successful exploitation can lead to high impact on confidentiality and integrity, with no impact on availability.
Exploit Requirements
An attacker must have access to an existing extension on the open-vsx.org marketplace.
Affected Vendor, Product, Version
- Vendor: Eclipse Foundation (open-vsx.org)
- Product: open-vsx.org
- Version: All versions prior to the fix on June 24th, 2025
CWE
- CWE-653: Insufficient Isolation or Compartmentalization
- CWE-913: Improper Control of Dynamically-Managed Code Resources
Explanation: CWE-653 highlights the lack of proper isolation, allowing unauthorized access or modification. CWE-913 addresses the improper control of code resources that are managed dynamically, which can lead to vulnerabilities like arbitrary code execution.
📅 Timeline of Events
- 2025-06-24: Vulnerability fixed in publish-extensions code repository.
- 2025-06-27: CVE-2025-6705 publicly disclosed.
🧠 Exploitability & Real-World Risk
This vulnerability poses a significant risk. By exploiting the lack of CI job sandboxing, a malicious actor could potentially inject malicious code into extensions, compromise the marketplace's service account, and distribute malware to a wide range of users. This could lead to supply chain attacks, data theft, and other severe consequences.
🛠️ Recommendations
- Ensure the latest security patches are applied to the open-vsx.org platform.
- Implement robust CI/CD pipeline sandboxing to prevent arbitrary code execution.
- Regularly audit and monitor extensions for suspicious activity.
- Developers should review their extension build processes and dependencies for vulnerabilities.
🧪 Technical Insight
The vulnerability stems from the fact that build scripts executed during the CI process were not properly isolated. This allowed a malicious actor to inject arbitrary code into the build process, potentially executing commands with elevated privileges and compromising the integrity of the extensions and the platform itself.
🙌 Credit to Researcher(s)
Credit to the Eclipse Foundation Security Team for discovering and addressing this vulnerability.
🔗 References
🧵 Tags
CVE-2025-6705, open-vsx, CI Sandboxing, RCE, Eclipse, Extension Security, Security Advisory
Summary: CVE-2025-6705 details a critical vulnerability in open-vsx.org related to insufficient CI job sandboxing. An attacker with access to an extension could execute arbitrary build scripts, potentially leading to a marketplace service account takeover. The vulnerability was fixed on June 24th, 2025.
CVE ID: CVE-2025-6705
Risk Analysis: Successful exploitation could lead to complete compromise of the open-vsx.org marketplace, including the ability to distribute malicious extensions to users and steal sensitive data.
Recommendation: Apply the latest security patches, implement robust CI/CD pipeline sandboxing, and regularly audit extensions for suspicious activity.
Timeline
- 2025-06-24: Vulnerability fixed in publish-extensions code repository.
- 2025-06-27: CVE-2025-6705 publicly disclosed.