Eclipse Open VSX Registry Security Advisory
This security advisory provides additional technical details following our initial statement and the corresponding CVE record.
TL;DR
A vulnerability in the Eclipse Open VSX Registry’s automated publishing system could have allowed unauthorized extension uploads. It did not affect existing extensions or admin functions.
The issue was reported on May 4, 2025, fully fixed by June 24, and followed by a complete audit. No evidence of compromise was found, but 81 extensions were proactively deactivated as a precaution.