CVE-2025-1007

Name of the Vulnerable Software and Affected Versions OpenVSX versions v0.9.0 through v0.20.0

Description The issue allows a user to edit all namespace details, including name, description, website, support link, and social media links, even if the user is not a namespace Owner or Contributor. This is possible through the /user/namespace/{namespace}/details API endpoint and also affects the /user/namespace/{namespace}/details/logo endpoint, allowing a user to change the logo.

Recommendations For OpenVSX versions v0.9.0 through v0.20.0, consider restricting access to the /user/namespace/{namespace}/details and /user/namespace/{namespace}/details/logo API endpoints to only allow authorized users, such as namespace Owners or Contributors, to edit namespace details and change logos. At the moment, there is no information about a newer version that contains a fix for this vulnerability.