Researchers have uncovered more than 30 security vulnerabilities across a wide range of AI-powered coding tools and IDE extensions, exposing developers to risks including data exfiltration, remote code execution (RCE), and widespread compromise of development environments.
The flaws — collectively named “IDEsaster” — were identified by security researcher Ari Marzouk (MaccariTA) and impact popular tools such as Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, and Cline. At least 24 of these issues have received CVE identifiers.
AI IDEs Under Attack: How the Exploit Chain Works
According to Marzouk, nearly every tested AI IDE was vulnerable to a universal attack chain. The vulnerabilities arise when long-standing, legitimate IDE features interact with autonomous AI agents capable of acting without user approval.
The flaws rely on chaining three core elements common in AI-driven development platforms:
- Prompt injection to bypass LLM guardrails and hijack context
- Auto-approved tool actions performed by AI agents without user interaction
- Legitimate IDE features that can be abused to access sensitive files or execute commands
This combination allows attackers to weaponize routine IDE functionality and turn it into a vector for serious breaches.
Context Hijacking Through Innocent-Looking Inputs
Attackers can manipulate context using:
- Pasted text or URLs containing hidden characters
- Polluted data from compromised Model Context Protocol (MCP) servers
- Tool poisoning or “rug pulls”
- Legitimate sources that parse attacker-controlled content
Once the attacker gains control over the AI agent’s context, they can trigger harmful actions within the IDE.
Examples of Confirmed Vulnerabilities
The research highlights several practical attack scenarios:
1. Data Exfiltration via JSON Schema Hijacking
A prompt injection forces the AI agent to read sensitive files and write a JSON file pointing to an attacker-controlled server. When the IDE fetches the remote schema, data is leaked automatically.
Affected: Cursor (CVE-2025-49150), Roo Code, Junie (CVE-2025-58335), GitHub Copilot, Kiro.dev, Claude Code.
2. RCE via Malicious Changes to Settings Files
Attackers modify IDE settings (e.g., .vscode/settings.json) to replace paths such as php.validate.executablePath with malicious executables — resulting in code execution.
Affected: Copilot, Cursor, Roo Code, Zed.dev, Claude Code.
3. Workspace Configuration Abuse
Editing multi-root workspace settings (*.code-workspace) allows attackers to insert malicious configuration options that trigger code execution with no user interaction required.
Affected: Copilot (CVE-2025-64660), Cursor, Roo Code.
Many of these attacks succeed because file writes within the workspace are auto-approved by default, allowing seamless RCE without prompting the user.
Growing List of AI Tool Vulnerabilities
The IDEsaster disclosure coincides with several other significant findings:
- OpenAI Codex CLI (CVE-2025-61260): Command injection via MCP server configuration files
- Google Antigravity: Multiple prompt injection flaws leading to credential theft and persistent backdoors
- PromptPwnd: A new vulnerability class targeting AI agents connected to GitHub Actions and CI/CD pipelines
These findings show how AI automation dramatically expands the attack surface within modern developer environments.
Recommendations for Developers Using AI IDEs
Marzouk and other researchers offer key guidance:
- Only work with trusted projects and files
- Avoid connecting AI agents to untrusted MCP servers
- Manually review URLs or pasted content for hidden instructions
- Apply least privilege to AI tools and sandbox command execution
- Harden system prompts and conduct routine testing for RCE, path traversal, and data leaks
AI Security Requires a New Paradigm
Marzouk emphasizes the concept of “Secure for AI”, arguing that security models must evolve to reflect how AI tools interact with applications.
“Connecting AI agents to existing systems creates new risks,” he said. “Security must be designed with the future misuse of AI components in mind.”
With AI-driven development tools becoming mainstream in enterprises, these vulnerabilities highlight the urgent need for developers and vendors to rethink security for an era where LLMs can autonomously act on external data — whether benign or malicious.