IDEsaster: 30+ Vulnerabilities Found in AI-IDEs Allow Silent RCE and Data Theft
More than thirty vulnerabilities have been uncovered in popular AI-enhanced development environments, all of which allow attackers — through a combination of prompt injections and legitimate IDE capabilities — to silently exfiltrate data or execute remote commands. Researcher Ari Marzouk has dubbed the collection of issues IDEsaster, and the affected tools include Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, and Cline. Twenty-four of the vulnerabilities have already been assigned CVE identifiers.
According to the researcher, the most striking discovery was that identical attack chains worked across virtually every AI-IDE tested. For years, developers of assistants and extensions assumed that built-in IDE features were intrinsically safe — a premise that collapses the moment autonomous AI agents are introduced into the ecosystem. Mechanisms once considered benign can suddenly become tools for data theft or arbitrary code execution.
At the core of these vulnerabilities lies a convergence of three common AI-IDE attack vectors: bypassing LLM safeguards through prompt injection, automatic agent-initiated actions without user involvement, and the misuse of legitimate IDE features to escape the expected security boundary. Unlike earlier scenarios, where prompt injections required vulnerable tools to be effective, IDEsaster repurposes ordinary development-environment features to leak data or execute commands.
Attackers can corrupt context in numerous ways: inserting hidden characters into text or URLs, manipulating data through the Model Context Protocol (MCP), poisoning MCP tools, or coercing a legitimate MCP server into processing malicious external content. Marzuki uncovered attack chains that allowed reading sensitive files, generating JSON files pointing to attacker-controlled resources, altering IDE settings, rebuilding configuration files, and ultimately achieving arbitrary command execution. Particularly dangerous is the fact that many AI agents automatically approve changes to project files, opening a path to compromise without any user interaction whatsoever.
Marzuki advises developers to use AI-IDEs only for trusted projects, scrutinize all external sources and URLs for hidden instructions, connect solely to vetted MCP servers, and closely monitor their behavior. He further recommends that tool builders constrain LLM capabilities, minimize prompt-injection avenues, strengthen system prompts, enforce sandboxing, and rigorously test protections against path-traversal, data-leak, and command-injection scenarios.
Additional disclosures have emerged regarding other AI-powered development tools as well. A critical flaw in OpenAI’s Codex CLI allows command execution at startup due to unconditional trust in MCP configuration. Google’s Antigravity was found to contain indirect prompt-injection chains capable of stealing credentials or implanting a persistent backdoor. A new class of vulnerabilities, PromptPwnd, demonstrates how CI/CD-linked AI agents can be deceived into performing privileged operations.
Collectively, these findings underscore how dramatically AI agents expand the attack surface: models cannot reliably distinguish real user intent from malicious fragments quietly woven into their context. As researcher Rein Daelman observed, this creates a pervasive risk of secret leakage, command injection, and repository compromise for any project using AI to automate development tasks.
Marzuki concludes that these incidents reveal an urgent need for a new security paradigm — Secure for AI — one that accounts for the ways AI components themselves can be weaponized throughout the entire product lifecycle.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
