CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Bypass of Open VSX Pre-Publish Scanning via Boolean Return Value Flaw

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A design flaw in Open VSX’s pre-publish scanning pipeline enabled malicious Visual Studio Code (VS Code) extensions to bypass security vetting and become publicly available in the registry. The issue stemmed from a single boolean return value that conflated two distinct states: absence of configured scanners and scanner job failures. Under load, scanner failures (e.g., due to exhausted database connection pools) were misinterpreted as "no scanners configured," causing the system to mark extensions as passed and activate them immediately. This affected both the initial publish flow and a recovery service designed to retry failed scans. An attacker with a standard publisher account could exploit the flaw by flooding the publish endpoint to exhaust the database connection pool, preventing scan jobs from enqueuing and allowing malicious extensions to evade detection. The flaw was patched in Open VSX version 0.32.0 on March 3, 2026, following disclosure on February 8, 2026.

Timeline

  1. 27.03.2026 15:57 1 articles · 2h ago

    Boolean Return Value Flaw in Open VSX Pre-Publish Scanning Allows Malicious Extension Bypass

    A design flaw in Open VSX’s pre-publish scanning pipeline caused scanner job failures to be misinterpreted as "no scanners configured," allowing malicious VS Code extensions to bypass security vetting and be published. The issue affected both the initial publish flow and a recovery service, enabling attackers with standard accounts to exploit load-induced database exhaustion to evade detection. The flaw was patched in Open VSX version 0.32.0 on March 3, 2026.

    Show sources
    Open in new tab

Information Snippets