More than 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered integrated development environments (IDEs) that combine accelerated injection primitives with legitimate features to achieve data exfiltration and remote code execution.
Security vulnerabilities are collectively named IDESaster By security researcher Ari Marzouk (McCarita). They affect popular IDEs and extensions such as Cursor, Windsurf, Kiro.dev, GitHub Copilot, Z.dev, Roo Code, Juni, and Kline. Of these, 24 have been assigned CVE identifiers.
“I think the fact that every AI IDE tested was affected by multiple universal attack chains is the most surprising finding of this research,” Marzouk told The Hacker News.
“All AI IDEs (and the coding assistants that integrate with them) effectively ignore the base software (IDE) in their threat models. They assume their features are inherently secure because they have been there for years. However, once you add AI agents that can act autonomously, those same features can be weaponized into data exfiltration and RCE primitives.”
At its core, these issues create a series of three distinct vectors that are common to AI-powered IDEs –
- Bypass a large language model (LLM) guardrail to hijack the context and execute the attacker’s quote (aka prompt injection)
- Perform certain actions without requiring any user interaction through the AI agent’s auto-approved tool call
- Trigger legitimate features of an IDE that allow an attacker to bypass security boundaries to leak sensitive data or execute arbitrary commands
The highlighted issues differ from earlier attack chains that have taken advantage of accelerated injection in combination with vulnerable tools (or misuse of legitimate tools to perform read or write operations) to modify the configuration of an AI agent to achieve code execution or other unintended behavior.
What makes IDEsaster notable is that it uses quick injection primitives and an agent’s tools to activate legitimate features of the IDE as a result of information leakage or command execution.
Context hijacking can be overcome in a myriad of ways, including user-added context references, which can take the form of pasted URLs or text with hidden characters that are not visible to the human eye, but can be parsed by LLMs. Alternatively, the context can be polluted by tool poisoning or carpet-pulling using Model Context Protocol (MCP) servers, or when a legitimate MCP server parses attacker-controlled input from an external source.
Some of the identified attacks made possible by the new exploit chain are –
- CVE-2025-49150 (Cursor), CVE-2025-53097 (Rue Code), CVE-2025-58335 (JetBrains Junkie), GitHub Copilot (no CVE), Kiro.dev (no CVE), and Cloud Code (addressed with security warning). – Using instant injection to read a sensitive file using a legitimate (“read_file”) or vulnerable tool (“search_files” or “search_project”) and writing a JSON file with a remote JSON schema hosted on an attacker-controlled domain through a legitimate tool (“write_file” or “edit_file”), causing data to be leaked when the IDE makes a GET request.
- CVE-2025-53773 (GitHub Copilot), CVE-2025-54130 (Cursor), CVE-2025-53536 (Roo Code), CVE-2025-55012 (Zed.dev), and Cloud Code (addressed with security alert). – Using a prompt injection to edit IDE settings files (.vscode/settings.json” or “.idea/workspace.xml”) to obtain code execution by setting “php.validate.executablePath” or “PATH_TO_GIT” to the path of the executable file containing the malicious code.
- CVE-2025-64660 (GitHub Copilot), CVE-2025-61590 (Cursor), and CVE-2025-58372 (Rue Code). – Using quick injection to edit workspace configuration files (*.code-workspace) and override multi-root workspace settings to achieve code execution
It’s worth noting that the last two examples rely on an AI agent that is configured to write an auto-approval file, which then gives an attacker the ability to influence write prompts to set malicious workspace settings. But given that this behavior is auto-approved by default for in-workspace files, it leads to arbitrary code execution without any user interaction or the need to reopen the workspace.
With quick injections and jailbreaks as the first steps to the attack chain, Marzouk offers the following recommendations –
- Only use AI IDEs (and AI agents) with trusted projects and files. Malicious rule files, instructions hidden inside source code or other files (README), and even file names can quickly become injection vectors.
- Connect only to trusted MCP servers and constantly monitor these servers for changes (even a trusted server can be breached). Review and understand the data flow of the MCP tool (for example, a legitimate MCP tool can pull information from an attacker-controlled source, such as a GitHub PR)
- Manually review the sources you add (such as via URL) for hidden directives (comments in HTML/CSS-hidden text/invisible Unicode characters, etc.)
Developers of AI agents and AI IDEs are advised to apply the principle of least privilege in LLM tools, minimize prompt injection vectors, harden system prompts, use sandboxing to run commands, perform security testing for path traversal, information leakage, and command injection.
The disclosure coincides with the discovery of several vulnerabilities in AI coding tools that could have wide-ranging implications –
- A command injection flaw in the OpenAI Codex CLI (CVE-2025-61260) that takes advantage of the fact that a program trusts commands configured via MCP server entries and executes them at startup without user permission. When a malicious actor can tamper with the “.env” and “./.codex/config.toml” files of the repository this can lead to arbitrary command execution.
- An indirect quick injection into Google AntiGravity using a poisoned web source that can be used to force Gemini to exfiltrate information from a user’s IDE by manipulating credentials and sensitive code and using a browser subagent to browse to a malicious site.
- Google AntiGravity has multiple vulnerabilities that could result in data exfiltration and remote command execution via indirect prompt injection, as well as being leveraged by a malicious Trusted Workbench to embed a persistent backdoor to execute arbitrary code every time the application is launched in the future.
- A new class of vulnerabilities, called PromptPwnd, that target AI agents associated with sensitive GitHub actions (or GitLab CI/CD pipelines) with prompt injections to prompt them to execute underlying privileged tools that cause information leakage or code execution.
As agentic AI tools become increasingly popular in enterprise environments, these findings demonstrate how AI tools expand the attack surface of development machines, often by taking advantage of the LLM’s inability to distinguish between instructions given by a user to complete a task and content received from an external source, which may, in turn, contain an embedded malicious signal.
“Any repository that uses AI for issue triage, PR labeling, code suggestions or automated replies is at risk for prompt injection, command injection, covert exfiltration, repository compromise, and upstream supply chain compromise,” said Aikido researcher Rene Dellman.
Marzouq also said the findings emphasize the importance of “securing AI,” which is a new paradigm the researchers coined to deal with the security challenges posed by AI features, ensuring that products are not only secure by default and secure by design, but are also conceived taking into account how AI components might be misused over time.
“This is another example of why the ‘Safe for AI’ principle is needed,” Marzouk said. “Connecting AI agents to existing applications (IDEs in my case, GitHub Actions in theirs) creates new emerging risks.”
