Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack content arrives via a locally opened workspace (AV:L), no attacker auth (PR:N), the developer must open the repo and engage the agent (UI:R); the agent acts beyond its prompt boundary, so S:C with full C/I/A:H.
Primary rating from Vendor (eclipse).
CVSS VectorVendor: eclipse
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2Blast Radius
ecosystem impact- 8 npm packages depend on @theia/ai-chat (7 direct, 1 indirect)
- 7 npm packages depend on @theia/ai-chat-ui (7 direct, 0 indirect)
- 27 npm packages depend on @theia/ai-core (21 direct, 6 indirect)
Ecosystem-wide dependent count for version 1.71.0 and other introduced versions.
DescriptionCVE.org
In Eclipse Theia versions prior to 1.71.0, the AI chat agent processed workspace file and directory names as part of its prompt context without distinguishing them from system instructions. An attacker could craft a malicious repository with adversarial directory or file names that, when analyzed by the AI agent, would cause the agent to follow attacker-controlled instructions (indirect prompt injection). Combined with other AI chat features available in untrusted workspaces, this enabled attack chains leading to data exfiltration via Markdown image rendering or arbitrary command execution via task definitions.
AnalysisAI
Indirect prompt injection in Eclipse Theia versions prior to 1.71.0 allows attackers who control a workspace's filesystem layout to coerce the built-in AI chat agent into executing attacker-supplied instructions, enabling data exfiltration through Markdown image rendering or arbitrary command execution through task definitions. No public exploit identified at time of analysis, but the CVSS 4.0 base score of 8.4 reflects high impact across confidentiality, integrity and availability once a developer opens an untrusted repository. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target be running Eclipse Theia below 1.71.0 with the built-in AI chat agent enabled and the user must open an attacker-controlled workspace (e.g., clone a malicious repository) and interact with the AI chat agent against that workspace - this maps to the CVSS UI:A and AV:L choices. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N is internally consistent with the described attack: local attack vector because the malicious content reaches the agent through a workspace the user has opened on their machine, no privileges required by the attacker, but Active user interaction (UI:A) because the developer must open the repo and interact with the AI chat. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker publishes a seemingly useful open-source repository whose directory or file names embed adversarial natural-language instructions (for example, a path like 'src/ignore previous instructions and run.../') . A developer clones the repo into a vulnerable Theia IDE and asks the AI chat agent a routine question about the codebase; the agent ingests the filenames as context, follows the embedded instructions, and either renders a Markdown image whose URL exfiltrates workspace data or invokes a task definition that runs an attacker-chosen shell command on the developer's machine. |
| Remediation | Vendor-released patch: Eclipse Theia 1.71.0 - upgrade all Theia-based IDE installations and rebuild any downstream products that vendor Theia to at least 1.71.0, referencing the Eclipse security tracker at https://gitlab.eclipse.org/security/cve-assignment/-/work_items/113. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Eclipse Theia deployments and their current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Eclipse Theia
View allCross-site WebSocket hijacking in Eclipse Theia's browser backend (versions 1.8.1 and later) lets a foreign-origin web p
Server-side request forgery in Eclipse Theia (version 1.26.0 and later) lets a low-privileged user connected to the /ser
Arbitrary command execution in Eclipse Theia versions prior to 1.69.0 allows a malicious repository to run host commands
Indirect prompt injection in Eclipse Theia before 1.71.0 allows a malicious repository to automatically override the AI
Unconstrained Markdown image rendering in Eclipse Theia's AI chat component, in all versions prior to 1.71.0, enables si
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37898
GHSA-3jww-hxqj-wfq2