CVE-2021-41038
Description
In versions of the @theia/plugin-ext component of Eclipse Theia prior to 1.18.0, Webview contents can be hijacked via postMessage().
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@theia/plugin-extnpm | < 1.18.0 | 1.18.0 |
Affected products
2- Range: unspecified
Patches
Vulnerability mechanics
Root cause
"Missing origin verification in the webview message event listener allows an untrusted frame to inject commands via postMessage()."
Attack vector
An attacker can craft a malicious web page that opens or embeds a Theia webview and then sends a `postMessage()` call with a payload containing `command: 'onmessage'` or `command: 'do-update-state'`. Because the message handler did not verify the origin of the message, the webview would process the attacker-supplied data as if it came from a trusted child frame. This allows the attacker to inject arbitrary content into the webview, effectively hijacking its contents [CWE-940].
Affected code
The vulnerability resides in `packages/plugin-ext/src/main/browser/webview/pre/host.js` in the `window.addEventListener('message', ...)` handler. The patch adds a check that verifies `e.source` is either a child frame, the window itself, or the parent window before processing the message. Without this check, any origin can send a `postMessage()` to the webview and have its `onmessage` or `do-update-state` commands accepted [patch_id=6635863].
What the fix does
The patch adds a loop that iterates over `window.frames` to check whether `e.source` is a child frame. It also allows messages from `window` itself and `window.parent`. If the source does not match any of these trusted origins, the handler returns early without processing the message. This ensures that only messages originating from the webview's own child frames, the webview window, or its parent are accepted, closing the spoofed-origin attack vector [patch_id=6635863].
Preconditions
- networkThe attacker must be able to deliver a `postMessage()` to a Theia webview, for example by luring the victim to a malicious page that embeds or opens the webview.
- configThe victim must be using a version of Eclipse Theia prior to 1.18.0 with the @theia/plugin-ext component.
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-w6v7-w58j-pg5rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41038ghsaADVISORY
- bugs.eclipse.org/bugs/show_bug.cgighsax_refsource_CONFIRMWEB
- github.com/eclipse-theia/theia/pull/10125ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.