Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks
"Iftah ya Simsim": l-mochkil l-mantiqi li khlla l-plugins l-khabit-a d VS Code ydouzou mn l-muraqaba d Open VSX
"Open Sesame": The Logic Flaw That Let Malicious VS Code Extensions Bypass Open VSX Security
TL;DR
Researchers discovered a critical "fail-open" vulnerability in the Open VSX extension registry. Due to a logic error that conflated system failures with successful scans, attackers could bypass security checks and publish malicious code by simply overwhelming the system’s database connections. The issue has since been patched.
The security of the software supply chain often hinges on the integrity of the marketplaces and registries we trust. Recently, cybersecurity researchers disclosed a significant flaw in Open VSX, an open-source alternative to the Microsoft Visual Studio Code Marketplace.
The vulnerability, codenamed "Open Sesame," allowed potentially malicious extensions to bypass mandatory security vetting, effectively rendering pre-publish scanners useless under specific conditions.
The Flaw: A Binary Misinterpretation
The issue lies within Open VSX’s Java-based pre-publish scanning pipeline. In February 2026, the Eclipse Foundation (which maintains Open VSX) implemented these checks to combat the rise of rogue extensions. However, Koi Security researcher Oran Simhony discovered a fundamental flaw in how the system handled error states.
The pipeline utilized a single boolean return value to communicate the status of a scan. The problem? This single "true/false" value represented two diametrically opposed scenarios:
- "No scanners are configured" (meaning the extension is safe for immediate release).
- "All scanners failed to run" (meaning a system error occurred).
"The caller couldn't tell the difference," Simhony explaining the report. "So when scanners failed under load, Open VSX treated it as 'nothing to scan for' and waved the extension right through."
How the "Open Sesame" Attack Worked
What makes this vulnerability particularly dangerous is its simplicity and reliability. Because the system was designed to "fail-open," an attacker did not need advanced privileges to exploit it.
- Triggering System Load: An attacker with a free publisher account could flood the publishing endpoint with multiple malicious
.VSIXextensions. - Resource Exhaustion: This concurrent load would exhaust the database connection pool.
- Scan Failure: Because of the exhausted pool, new scan jobs would fail to enqueue.
- The Bypass: The system misinterpreted these enqueue failures as "no scanners configured" and immediately activated the extensions, making them available for download to users of VS Code forks like Cursor and Windsurf.
Troublingly, a recovery service meant to retry failed scans suffered from the exact same logic error, ensuring that the malicious code could skip the vetting process entirely.
Remediation and Lessons in "Fail-Safe" Design
The vulnerability was responsibly disclosed to the Eclipse Foundation on February 8, 2026, and was patched in Open VSX version 0.32.0 last month.
The discovery serves as a stark reminder of the dangers of "fail-open" error handling in security-critical infrastructure. Koi Security emphasized that the design of the pipeline was sound, but the implementation of the return value turned a security gate into a liability.
Key Takeaways for Developers:
- Make Failure Explicit: Never allow a "no work needed" state to share a return value with a "work failed" state.
- Fail-Closed Design: In security contexts, if a scanner or vetting tool fails to run due to system load or technical errors, the default action should be to quarantine the file, not release it.
- Monitor Resource Exhaustion: Critical pipelines should have safeguards against database or memory exhaustion being used as a vector to bypass logic checks.
Conclusion
While the Eclipse Foundation has taken proactive steps to secure the Open VSX ecosystem, the "Open Sesame" flaw highlights how a single line of ambiguous code can undermine an entire security layer. As VS Code forks continue to grow in popularity, the registries supporting them remain a high-value target for attackers looking to compromise developer environments.
Source
Article Title: Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks
URL: https://thehackernews.com/2026/03/open-vsx-bug-let-malicious-vs-code.html
