CVE-2025-1007

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-1007

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1007.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-1007

Aliases

GHSA-wc7c-xq2f-qp4h

Published

2025-02-19T09:15:10.117Z

Modified

2026-04-12T17:59:02.409748Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Summary

[none]

Details

In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/{namespace}/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed in /user/namespace/{namespace}/details/logo and allowed a user to change the logo.

References

https://github.com/eclipse/openvsx/security/advisories/GHSA-wc7c-xq2f-qp4h

Affected packages

Git / github.com/eclipse/openvsx

Affected ranges

Type

GIT

Repo

https://github.com/eclipse/openvsx

Events

Introduced

ab51904125fbfa70a86504c62d61f79297514d86

Fixed

217c6230dcd5da680fd988e17c21e2db925dc294

Database specific

{
    "versions": [
        {
            "introduced": "0.9.0"
        },
        {
            "fixed": "0.19.1"
        }
    ]
}

Affected versions

v0.*

v0.10.0

v0.11.0

v0.11.1

v0.12.0

v0.13.0

v0.13.1

v0.13.2

v0.13.3

v0.13.4

v0.14.0

v0.14.1

v0.14.2

v0.14.3

v0.14.4

v0.14.5

v0.14.6

v0.15.0

v0.15.1

v0.15.2

v0.15.3

v0.15.4

v0.15.5

v0.15.6

v0.15.7

v0.15.8

v0.16.0

v0.16.1

v0.16.2

v0.16.3

v0.16.4

v0.17.0

v0.18.0

v0.18.1

v0.19.0

v0.9.0

v0.9.1

v0.9.3

v0.9.4

v0.9.5

v0.9.6

v0.9.7

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1007.json"

vanir_signatures_modified

"2026-04-12T17:59:02Z"

vanir_signatures

[
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 481.0,
            "function_hash": "157356004878538682444430866028850473514"
        },
        "source": "https://github.com/eclipse/openvsx/commit/217c6230dcd5da680fd988e17c21e2db925dc294",
        "id": "CVE-2025-1007-26a51719",
        "signature_type": "Function",
        "target": {
            "function": "updateNamespaceDetails",
            "file": "server/src/main/java/org/eclipse/openvsx/UserAPI.java"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "121258889466250504368635351987300913607",
                "325196240833915117636534983877139755",
                "90240948967792633657593332763199840897",
                "193686869920041505124088476124167664291",
                "104795098280372888035703902869618386875",
                "113009157012698016922414126149473055236",
                "275136792863201246686386616109851514842",
                "104866060408408200076097494722083085669",
                "205305083604552679156158056319443975183",
                "196353624173852383429737158108325259045",
                "302894842755531717136751454810368467961",
                "336493347736069113185053439069456321057",
                "337740311932085367792636490013818739551",
                "227453192449564871397850482548795327105",
                "65358592712713680023683962288604965740",
                "299276005154824058151742654985350480721"
            ]
        },
        "source": "https://github.com/eclipse/openvsx/commit/217c6230dcd5da680fd988e17c21e2db925dc294",
        "id": "CVE-2025-1007-36179390",
        "signature_type": "Line",
        "target": {
            "file": "server/src/main/java/org/eclipse/openvsx/UserAPI.java"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 1115.0,
            "function_hash": "70728680307636597817043102915292167235"
        },
        "source": "https://github.com/eclipse/openvsx/commit/217c6230dcd5da680fd988e17c21e2db925dc294",
        "id": "CVE-2025-1007-4eb9f830",
        "signature_type": "Function",
        "target": {
            "function": "updateNamespaceDetails",
            "file": "server/src/main/java/org/eclipse/openvsx/UserService.java"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "threshold": 0.9,
            "line_hashes": [
                "114308785335838827738471144886846078112",
                "152962826089449561523762937235415229408",
                "7868966762662300662449422402700115595",
                "238604549136021864837183883442361928069",
                "107999460687389791965871758179707715586",
                "184670030177759120366355707061359851929",
                "143977102339485873802062939840077676323",
                "291596161455228604758668274237710945793",
                "235461940008854342831195808288760831564",
                "141470167231814639063062268973975297012",
                "108916370102657225266626879507691028142",
                "134167044907431745924027753506986824617",
                "30152955581587218572947934155951163658",
                "285526065952271633993144592618380992582",
                "337658292886264444290318462598253085363",
                "178715278627866028639719768894032053910"
            ]
        },
        "source": "https://github.com/eclipse/openvsx/commit/217c6230dcd5da680fd988e17c21e2db925dc294",
        "id": "CVE-2025-1007-59c73a83",
        "signature_type": "Line",
        "target": {
            "file": "server/src/main/java/org/eclipse/openvsx/UserService.java"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 338.0,
            "function_hash": "170018850002950356774648675892338990517"
        },
        "source": "https://github.com/eclipse/openvsx/commit/217c6230dcd5da680fd988e17c21e2db925dc294",
        "id": "CVE-2025-1007-b038fb95",
        "signature_type": "Function",
        "target": {
            "function": "updateNamespaceDetailsLogo",
            "file": "server/src/main/java/org/eclipse/openvsx/UserAPI.java"
        }
    },
    {
        "signature_version": "v1",
        "deprecated": false,
        "digest": {
            "length": 1194.0,
            "function_hash": "72774850197436932297950089662233192898"
        },
        "source": "https://github.com/eclipse/openvsx/commit/217c6230dcd5da680fd988e17c21e2db925dc294",
        "id": "CVE-2025-1007-b8716746",
        "signature_type": "Function",
        "target": {
            "function": "updateNamespaceDetailsLogo",
            "file": "server/src/main/java/org/eclipse/openvsx/UserService.java"
        }
    }
]