Vulnerability in Eclipse Open VSX marketplace extension publication process

On May 4th, the Eclipse Foundation (EF) Security Team received a notification from researchers at Koi Security regarding a potential issue in the Eclipse Open VSX marketplace extension publication process. The EF Security Team immediately contacted the Eclipse Open VSX team, and upon confirming the issue, work on a fix was promptly initiated.

Following several iterations and thorough testing (necessary due to the intrusive nature of the change to the extension build process) the fix was successfully deployed on June 24th.

We would like to thank the researchers for reporting the issue, reviewing the proposed fixes, and supporting the resolution process, as well as the members of the Eclipse Open VSX team who were involved.

The researchers have published their findings at Koi Security’s blog, providing further insight into the issue. Additionally, we have published CVE-2025-6705 to track and document this vulnerability.

A more detailed technical security advisory will be published in the coming days.

Eclipse Open VSX has grown in popularity in recent months, and we’re grateful to independent researchers for their investigation and responsible disclosure. We encourage all projects that depend on Eclipse Open VSX to consider contributing to or financially supporting the initiative.