In Eclipse Theia 0.3.9 to 1.8.1, the "mini-browser" extension allows a user to preview HTML files in an iframe inside the IDE. But with the way it is made it is possible for a previewed HTML file to trigger an RCE. This exploit only happens if a user previews a malicious file.

Affected Packages

npm @theia/mini-browser

Affected versions: 0.3.9 (fixed in 1.9.0)

Related CVEs

CVE-2021-34435

Key Information

GHSA ID

GHSA-v9w2-v7j9-rjpr

Published

September 2, 2021 10:02 PM

Last Modified

September 13, 2021 8:27 PM

CVSS Score

7.5 /10

Primary Ecosystem

npm

Primary Package

@theia/mini-browser

GitHub Reviewed

✓ Yes

Dataset

Last updated: November 25, 2025 6:29 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.