A significant security vulnerability has been discovered in Open VSX, the extension marketplace widely used by code editors such as Cursor and Windsurf, along with the VS Code fork ecosystem.
Understanding the Vulnerability
The issue was identified within Open VSX’s newly implemented pre-publish scanning pipeline. This security feature was intended to scrutinize each extension before it became available to users. Dubbed ‘Open Sesame,’ this flaw allowed malicious extensions to bypass the security checks and appear legitimate to users.
The scanning pipeline aimed to detect malware, search for hardcoded secrets, and prevent malicious actors from imitating popular extension names. Extensions were held inactive until all security checks were passed, theoretically enhancing ecosystem security.
Technical Details of the Flaw
Researchers from Koi pinpointed the problem to a boolean return value within the scanning code. This value ambiguously indicated either no scanners were set or all failed during the process, leading to a misinterpretation that allowed unchecked extensions to be marked as ‘PASSED.’
The vulnerability was exploitable without special access, as any user with a publisher account could overwhelm the endpoint with multiple uploads, exhausting the database connection pool and causing scanner jobs to fail.
Response and Recommendations
The vulnerability was responsibly reported to the Open VSX team on February 8, 2026, and a fix was implemented by February 11, 2026. This rapid response mitigated further risk to users.
Developers are advised to separate failure states from non-operational states within scanning pipelines. A single return value should not convey both a configuration choice and a system error. Implementing rate limits on publish endpoints is also recommended to prevent connection overload.
Users who installed extensions from Open VSX prior to the February 11 patch should review them for potential issues. Ensuring robust security measures in software development is crucial to protecting users from similar vulnerabilities in the future.
