CVE-2025-6705

An attacker submits a malicious extension to the Open VSX Registry's automated build pipeline. The pipeline executes the extension's custom build commands (`extension.custom`) or prepublish scripts (`extension.prepublish`) via `exec()` in `build-extension.js` [patch_id=6639772]. Because the build script runs as a child process that inherits the full environment of the parent `publish-extensions.js` process, the attacker's code can read `process.env.OVSX_PAT` — the token that authorizes publishing under any namespace. With this token, the attacker can publish new versions of any extension on the registry, including extensions they do not own. The token does not allow deletion, overwriting of existing versions, or access to administrative features.

The vulnerability resides in the automated publishing pipeline of the Eclipse Open VSX Registry. The `scripts/publish-extensions.js` file spawned `publish-extension.js` as a child process using `cp.spawn()`, passing the full extension and context object (including the `OVSX_PAT` token) via `process.argv[2]`. The `scripts/build-extension.js` file (formerly `publish-extension.js`) performed the actual build and publish steps, including reading `process.env.OVSX_PAT` to authenticate the publish call. Because the child process inherited the parent's environment, a malicious extension's build scripts (`extension.custom`, `extension.prepublish`) could access the privileged token through environment variables or process arguments.

The patch [patch_id=6639772] restructures the publishing pipeline to use separate CI jobs instead of spawning `publish-extension.js` as a child process. Previously, `publish-extensions.js` called `cp.spawn(process.execPath, ['publish-extension.js', JSON.stringify({extension, context, extensions})], ...)`, which passed the full context (including the token-bearing environment) to a child process that executed untrusted extension build scripts. The fix moves the build logic into `build-extension.js` as an exported module and has `publish-extensions.js` call it directly via `require()` rather than via a subprocess. This eliminates the environment inheritance path that allowed extension build scripts to access `OVSX_PAT`. Additionally, the publish step (which requires the token) is now performed in a separate CI job that never runs untrusted extension code.