CVE-2025-1007

low-risk

Published 2025-02-19

In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/{namespace}/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed in /user/namespace/{namespace}/details/logo and allowed a user to change the logo.

Do I need to act?

0.43% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.3/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Open Vsx

Affected Vendors

Eclipse

References (1)

Exploit https://github.com/eclipse/openvsx/security/advisories/GHSA-wc7c-xq2f-qp4h

/ 100

low-risk

Severity 21/34 · High

Exploitability 2/34 · Minimal

Exposure 5/34 · Minimal