{"id":"CVE-2025-1007","details":"In OpenVSX version v0.9.0 to v0.20.0, the \n/user/namespace/{namespace}/details API allows a user to edit all \nnamespace details, even if the user is not a namespace Owner or \nContributor. The details include: name, description, website, support \nlink and social media links. The same issues existed in \n/user/namespace/{namespace}/details/logo and allowed a user to change \nthe logo.","aliases":["GHSA-wc7c-xq2f-qp4h"],"modified":"2026-04-12T17:59:02.409748Z","published":"2025-02-19T09:15:10.117Z","references":[{"type":"EVIDENCE","url":"https://github.com/eclipse/openvsx/security/advisories/GHSA-wc7c-xq2f-qp4h"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/eclipse/openvsx","events":[{"introduced":"ab51904125fbfa70a86504c62d61f79297514d86"},{"fixed":"217c6230dcd5da680fd988e17c21e2db925dc294"}],"database_specific":{"versions":[{"introduced":"0.9.0"},{"fixed":"0.19.1"}]}}],"versions":["v0.10.0","v0.11.0","v0.11.1","v0.12.0","v0.13.0","v0.13.1","v0.13.2","v0.13.3","v0.13.4","v0.14.0","v0.14.1","v0.14.2","v0.14.3","v0.14.4","v0.14.5","v0.14.6","v0.15.0","v0.15.1","v0.15.2","v0.15.3","v0.15.4","v0.15.5","v0.15.6","v0.15.7","v0.15.8","v0.16.0","v0.16.1","v0.16.2","v0.16.3","v0.16.4","v0.17.0","v0.18.0","v0.18.1","v0.19.0","v0.9.0","v0.9.1","v0.9.3","v0.9.4","v0.9.5","v0.9.6","v0.9.7"],"database_specific":{"vanir_signatures":[{"signature_type":"Function","id":"CVE-2025-1007-26a51719","deprecated":false,"signature_version":"v1","source":"https://github.com/eclipse/openvsx/commit/217c6230dcd5da680fd988e17c21e2db925dc294","digest":{"function_hash":"157356004878538682444430866028850473514","length":481},"target":{"function":"updateNamespaceDetails","file":"server/src/main/java/org/eclipse/openvsx/UserAPI.java"}},{"signature_type":"Line","id":"CVE-2025-1007-36179390","deprecated":false,"signature_version":"v1","source":"https://github.com/eclipse/openvsx/commit/217c6230dcd5da680fd988e17c21e2db925dc294","digest":{"line_hashes":["121258889466250504368635351987300913607","325196240833915117636534983877139755","90240948967792633657593332763199840897","193686869920041505124088476124167664291","104795098280372888035703902869618386875","113009157012698016922414126149473055236","275136792863201246686386616109851514842","104866060408408200076097494722083085669","205305083604552679156158056319443975183","196353624173852383429737158108325259045","302894842755531717136751454810368467961","336493347736069113185053439069456321057","337740311932085367792636490013818739551","227453192449564871397850482548795327105","65358592712713680023683962288604965740","299276005154824058151742654985350480721"],"threshold":0.9},"target":{"file":"server/src/main/java/org/eclipse/openvsx/UserAPI.java"}},{"signature_type":"Function","id":"CVE-2025-1007-4eb9f830","deprecated":false,"signature_version":"v1","source":"https://github.com/eclipse/openvsx/commit/217c6230dcd5da680fd988e17c21e2db925dc294","digest":{"function_hash":"70728680307636597817043102915292167235","length":1115},"target":{"function":"updateNamespaceDetails","file":"server/src/main/java/org/eclipse/openvsx/UserService.java"}},{"signature_type":"Line","id":"CVE-2025-1007-59c73a83","deprecated":false,"signature_version":"v1","source":"https://github.com/eclipse/openvsx/commit/217c6230dcd5da680fd988e17c21e2db925dc294","digest":{"line_hashes":["114308785335838827738471144886846078112","152962826089449561523762937235415229408","7868966762662300662449422402700115595","238604549136021864837183883442361928069","107999460687389791965871758179707715586","184670030177759120366355707061359851929","143977102339485873802062939840077676323","291596161455228604758668274237710945793","235461940008854342831195808288760831564","141470167231814639063062268973975297012","108916370102657225266626879507691028142","134167044907431745924027753506986824617","30152955581587218572947934155951163658","285526065952271633993144592618380992582","337658292886264444290318462598253085363","178715278627866028639719768894032053910"],"threshold":0.9},"target":{"file":"server/src/main/java/org/eclipse/openvsx/UserService.java"}},{"signature_type":"Function","id":"CVE-2025-1007-b038fb95","deprecated":false,"signature_version":"v1","source":"https://github.com/eclipse/openvsx/commit/217c6230dcd5da680fd988e17c21e2db925dc294","digest":{"function_hash":"170018850002950356774648675892338990517","length":338},"target":{"function":"updateNamespaceDetailsLogo","file":"server/src/main/java/org/eclipse/openvsx/UserAPI.java"}},{"signature_type":"Function","id":"CVE-2025-1007-b8716746","deprecated":false,"signature_version":"v1","source":"https://github.com/eclipse/openvsx/commit/217c6230dcd5da680fd988e17c21e2db925dc294","digest":{"function_hash":"72774850197436932297950089662233192898","length":1194},"target":{"function":"updateNamespaceDetailsLogo","file":"server/src/main/java/org/eclipse/openvsx/UserService.java"}}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-1007.json","vanir_signatures_modified":"2026-04-12T17:59:02Z"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}]}