Missing Origin Validation in WebSockets Affecting @theia/core package, versions <1.73.0


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-JS-THEIACORE-17810710
  • published3 Jul 2026
  • disclosed3 Jul 2026
  • creditAnwarAyoob

Introduced: 3 Jul 2026

NewCVE-2026-10054  (opens in a new tab)
CWE-1385  (opens in a new tab)

How to fix?

Upgrade @theia/core to version 1.73.0 or higher.

Overview

@theia/core is a the main extension for all Theia-based applications, and provides the main framework for all dependent extensions.

Affected versions of this package are vulnerable to Missing Origin Validation in WebSockets via the shell-terminal and terminals/:id WebSocket endpoints when origin validation is bypassed due to missing or manipulated headers. An attacker can execute arbitrary operating system commands and access their output by enticing a user to visit a malicious web page while a vulnerable instance is running.

CVSS Base Scores

version 4.0
version 3.1