{“lastseen”:”2025-12-06T15:40:02″,”description”:”\\n\\nOver 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution.\\n\\nThe security shortcomings have been collectively named **IDEsaster** by security researcher Ari Marzouk (MaccariTA). They affect popular IDEs and extensions such as Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, and Cline, among others. Of these, 24 have been assigned CVE identifiers.\\n\\n\\”I think the fact that multiple universal attack chains affected each and every AI IDE tested is the most surprising finding of this research,\\” Marzouk told The Hacker News.\\n\\n\\”All AI IDEs (and coding assistants that integrate with them) effectively ignore the base software (IDE) in their threat model. They treat their features as inherently safe because they’ve been there for years. However, once you add AI agents that can act autonomously, the same features can be weaponized into data exfiltration and RCE primitives.\\”\\n\\nAt its core, these issues chain three different vectors that are common to AI-driven IDEs -\\n\\n * Bypass a large language model’s (LLM) guardrails to hijack the context and perform the attacker’s bidding (aka prompt injection)\\n * Perform certain actions without requiring any user interaction via an AI agent’s auto-approved tool calls\\n * Trigger an IDE’s legitimate features that allow an attacker to break out of the security boundary to leak sensitive data or execute arbitrary commands\\n\\n\\n\\nThe highlighted issues are different from prior attack chains that have leveraged prompt injections in conjunction with vulnerable tools (or abusing legitimate tools to perform read or write actions) to modify an AI agent’s configuration to achieve code execution or other unintended behavior.\\n\\n\\n\\nWhat makes IDEsaster notable is that it takes prompt injection primitives and an agent’s tools, using them to activate legitimate features of the IDE to result in information leakage or command execution.\\n\\nContext hijacking can be pulled off in myriad ways, including through user-added context references that can take the form of pasted URLs or text with hidden characters that are not visible to the human eye, but can be parsed by the LLM. Alternatively, the context can be polluted by using a Model Context Protocol (MCP) server through tool poisoning or rug pulls, or when a legitimate MCP server parses attacker-controlled input from an external source.\\n\\nSome of the identified attacks made possible by the new exploit chain is as follows -\\n\\n * **CVE-2025-49150 (Cursor), CVE-2025-53097 (Roo Code), CVE-2025-58335 (JetBrains Junie), GitHub Copilot (no CVE), Kiro.dev (no CVE), and Claude Code (addressed with a security warning)** \\\\- Using a prompt injection to read a sensitive file using either a legitimate (\\”read_file\\”) or vulnerable tool (\\”search_files\\” or \\”search_project\\”) and writing a JSON file via a legitimate tool (\\”write_file\\” or \\”edit_file)) with a remote JSON schema hosted on an attacker-controlled domain, causing the data to be leaked when the IDE makes a GET request\\n * **CVE-2025-53773 (GitHub Copilot), CVE-2025-54130 (Cursor), CVE-2025-53536 (Roo Code), CVE-2025-55012 (Zed.dev), and Claude Code (addressed with a security warning)** \\\\- Using a prompt injection to edit IDE settings files (\\”.vscode\/settings.json\\” or \\”.idea\/workspace.xml\\”) to achieve code execution by setting \\”php.validate.executablePath\\” or \\”PATH_TO_GIT\\” to the path of an executable file containing malicious code\\n * **CVE-2025-64660 (GitHub Copilot), CVE-2025-61590 (Cursor), and CVE-2025-58372 (Roo Code)** \\\\- Using a prompt injection to edit workspace configuration files (*.code-workspace) and override multi-root workspace settings to achieve code execution\\n\\n\\n\\nIt’s worth noting that the last two examples hinge on an AI agent being configured to auto-approve file writes, which subsequently allows an attacker with the ability to influence prompts to cause malicious workspace settings to be written. But given that this behavior is auto-approved by default for in-workspace files, it leads to arbitrary code execution without any user interaction or the need to reopen the workspace.\\n\\n\\n\\nWith prompt injections and jailbreaks acting as the first step for the attack chain, Marzouk offers the following recommendations -\\n\\n * _Only use AI IDEs (and AI agents) with trusted projects and files. Malicious rule files, instructions hidden inside source code or other files (README), and even file names can become prompt injection vectors._\\n * _Only connect to trusted MCP servers and continuously monitor these servers for changes (even a trusted server can be breached). Review and understand the data flow of MCP tools (e.g., a legitimate MCP tool might pull information from attacker controlled source, such as a GitHub PR)_\\n * _Manually review sources you add (such as via URLs) for hidden instructions (comments in HTML \/ css-hidden text \/ invisible unicode characters, etc.)_\\n\\n\\n\\nDevelopers of AI agents and AI IDEs are advised to apply the principle of least privilege to LLM tools, minimize prompt injection vectors, harden the system prompt, use sandboxing to run commands, perform security testing for path traversal, information leakage, and command injection.\\n\\nThe disclosure coincides with the discovery of several vulnerabilities in AI coding tools that could have a wide range of impacts -\\n\\n * A command injection flaw in OpenAI Codex CLI (CVE-2025-61260) that takes advantage of the fact that the program implicitly trusts commands configured via MCP server entries and executes them at startup without seeking a user’s permission. This could lead to arbitrary command execution when a malicious actor can tamper with the repository’s \\”.env\\” and \\”.\/.codex\/config.toml\\” files.\\n * An indirect prompt injection in Google Antigravity using a poisoned web source that can be used to manipulate Gemini into harvesting credentials and sensitive code from a user’s IDE and exfiltrating the information using a browser subagent to browse to a malicious site.\\n * Multiple vulnerabilities in Google Antigravity that could result in data exfiltration and remote command execution via indirect prompt injections, as well as leverage a malicious trusted workspace to embed a persistent backdoor to execute arbitrary code every time the application is launched in the future.\\n * A new class of vulnerability named PromptPwnd that targets AI agents connected to vulnerable GitHub Actions (or GitLab CI\/CD pipelines) with prompt injections to trick them into executing built-in privileged tools that lead to information leak or code execution.\\n\\n\\n\\n\\n\\nAs agentic AI tools are becoming increasingly popular in enterprise environments, these findings demonstrate how AI tools expand the attack surface of development machines, often by leveraging an LLM’s inability to distinguish between instructions provided by a user to complete a task and content that it may ingest from an external source, which, in turn, can contain an embedded malicious prompt.\\n\\n\\”Any repository using AI for issue triage, PR labeling, code suggestions, or automated replies is at risk of prompt injection, command injection, secret exfiltration, repository compromise and upstream supply chain compromise,\\” Aikido researcher Rein Daelman said.\\n\\nMarzouk also said the discoveries emphasized the importance of \\”Secure for AI,\\” which is a new paradigm that has been coined by the researcher to tackle security challenges introduced by AI features, thereby ensuring that products are not only secure by default and secure by design, but are also conceived keeping in mind how AI components can be abused over time.\\n\\n\\”This is another example of why the ‘Secure for AI’ principle is needed,\\” Marzouk said. \\”Connecting AI agents to existing applications (in my case IDE, in their case GitHub Actions) creates new emerging risks.\\”\\n\\nFound this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post.\\n”,”published”:”2025-12-06T15:24:00″,”modified”:”2025-12-06T15:24:41″,”type”:”thn”,”title”:”Researchers Uncover 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks”,”source”:””,”references”:””,”id”:”THN:97FBCF90F55D2560E56A4EDCE6464097″,”bulletinFamily”:”info”,”cwe”:null,”cvelist”:[“CVE-2025-49150″,”CVE-2025-53097″,”CVE-2025-53536″,”CVE-2025-53773″,”CVE-2025-54130″,”CVE-2025-55012″,”CVE-2025-58335″,”CVE-2025-58372″,”CVE-2025-61260″,”CVE-2025-61590″,”CVE-2025-64660″],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:9.8,”severity”:”CRITICAL”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:H\/I:H\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/thehackernews.com\/2025\/12\/researchers-uncover-30-flaws-in-ai.html”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-06T15:40:02″,”description”:”\\n\\nOver 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[9,6,8,35,12,13,7,11,43,5],"class_list":["post-29115","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-critical","tag-cve","tag-cvss","tag-cvss-98","tag-exploit","tag-news","tag-security","tag-tapic","tag-thn","tag-vulnerability"],"yoast_head":"\n