Connect with us

AI & Machine Learning

Researchers Uncover 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks

Published

on

Researchers have uncovered more than 30 security vulnerabilities across a wide range of AI-powered coding tools and IDE extensions, exposing developers to risks including data exfiltration, remote code execution (RCE), and widespread compromise of development environments.

The flaws — collectively named “IDEsaster” — were identified by security researcher Ari Marzouk (MaccariTA) and impact popular tools such as Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, and Cline. At least 24 of these issues have received CVE identifiers.

AI IDEs Under Attack: How the Exploit Chain Works

According to Marzouk, nearly every tested AI IDE was vulnerable to a universal attack chain. The vulnerabilities arise when long-standing, legitimate IDE features interact with autonomous AI agents capable of acting without user approval.

The flaws rely on chaining three core elements common in AI-driven development platforms:

  1. Prompt injection to bypass LLM guardrails and hijack context
  2. Auto-approved tool actions performed by AI agents without user interaction
  3. Legitimate IDE features that can be abused to access sensitive files or execute commands

This combination allows attackers to weaponize routine IDE functionality and turn it into a vector for serious breaches.

Context Hijacking Through Innocent-Looking Inputs

Attackers can manipulate context using:

  • Pasted text or URLs containing hidden characters
  • Polluted data from compromised Model Context Protocol (MCP) servers
  • Tool poisoning or “rug pulls”
  • Legitimate sources that parse attacker-controlled content

Once the attacker gains control over the AI agent’s context, they can trigger harmful actions within the IDE.

Examples of Confirmed Vulnerabilities

The research highlights several practical attack scenarios:

1. Data Exfiltration via JSON Schema Hijacking

A prompt injection forces the AI agent to read sensitive files and write a JSON file pointing to an attacker-controlled server. When the IDE fetches the remote schema, data is leaked automatically.
Affected: Cursor (CVE-2025-49150), Roo Code, Junie (CVE-2025-58335), GitHub Copilot, Kiro.dev, Claude Code.

2. RCE via Malicious Changes to Settings Files

Attackers modify IDE settings (e.g., .vscode/settings.json) to replace paths such as php.validate.executablePath with malicious executables — resulting in code execution.
Affected: Copilot, Cursor, Roo Code, Zed.dev, Claude Code.

3. Workspace Configuration Abuse

Editing multi-root workspace settings (*.code-workspace) allows attackers to insert malicious configuration options that trigger code execution with no user interaction required.
Affected: Copilot (CVE-2025-64660), Cursor, Roo Code.

Many of these attacks succeed because file writes within the workspace are auto-approved by default, allowing seamless RCE without prompting the user.

Growing List of AI Tool Vulnerabilities

The IDEsaster disclosure coincides with several other significant findings:

  • OpenAI Codex CLI (CVE-2025-61260): Command injection via MCP server configuration files
  • Google Antigravity: Multiple prompt injection flaws leading to credential theft and persistent backdoors
  • PromptPwnd: A new vulnerability class targeting AI agents connected to GitHub Actions and CI/CD pipelines

These findings show how AI automation dramatically expands the attack surface within modern developer environments.

Recommendations for Developers Using AI IDEs

Marzouk and other researchers offer key guidance:

  • Only work with trusted projects and files
  • Avoid connecting AI agents to untrusted MCP servers
  • Manually review URLs or pasted content for hidden instructions
  • Apply least privilege to AI tools and sandbox command execution
  • Harden system prompts and conduct routine testing for RCE, path traversal, and data leaks

AI Security Requires a New Paradigm

Marzouk emphasizes the concept of “Secure for AI”, arguing that security models must evolve to reflect how AI tools interact with applications.

“Connecting AI agents to existing systems creates new risks,” he said. “Security must be designed with the future misuse of AI components in mind.”

With AI-driven development tools becoming mainstream in enterprises, these vulnerabilities highlight the urgent need for developers and vendors to rethink security for an era where LLMs can autonomously act on external data — whether benign or malicious.

Advertisement
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 Cyber Reports Cyber Security News All Rights Reserved Website by Top Search SEO