Bugs and weaknesses

[pwin]

Question

Is Theia susceptible to the same bugs and weaknesses as VS Code? For example. the recent glassworm ( https://cybersecuritynews.com/glassworm-malware-hits-openvsx-and-microsoft-visual-studio/) was/is a major problem. What about other security CVEs?

[github-actions[bot]]

Hi @pwin, thanks for starting this discussion! 👋

The Theia community will take a look soon. In the meantime, you might find helpful information in:

• 📖 Theia Documentation
• ❓ FAQ
• 💬 Previous Discussions

---

💙 Eclipse Theia is built and maintained by a community of contributors and sponsors. If Theia is valuable to your work, consider sponsoring the project. For professional support, training, or consulting services, learn more about available options.

[msujew]

Hey @pwin,

What about other security CVEs?

you will find our security policy here. In case someone discovers a security vulnerability (reported through the Eclipse Foundation), we will take steps to mitigate these as fast as possible.

Is Theia susceptible to the same bugs and weaknesses as VS Code?

It obviously depends. Does the issue originate from the VS Code codebase itself? Then likely no, since Theia is not a fork of VS Code. But if a user installs a malicious VS Code extension in Theia, there's little we can do about it. They will experience the same issues as in VS Code, since the extension system architecture is the same.

When installing an extension, users should generally try to use verified extensions, which are less likely to be malicious:

(verified uses blue icon, while the extension above is unverified)

[pwin]

I'm reading about supply chain subversion - https://thehackernews.com/2026/01/vs-code-forks-recommend-missing.html for example, and wonder if there can be anything put directly into the Theia codebase to sanitise or otherwise defend from these types of attack

[msujew]

Sanitization of VS Code extensions is effectively impossible from our end - they require full access to the underlying system to run. Meaning that sandboxing them in one way or another will likely break a lot of extensions.

I guess that this attack in particular can be defended against by removing the prompt to install recommended extensions - but that would fully remove the feature. In the end, the risk is on the user end - they should only install extensions they are comfortable with installing.