Cybersecurity

Researchers Uncover 30+ Flaws In AI Coding Tools Enabling Data...

2025-12-06 0 views admin
Researchers Uncover 30+ Flaws In AI Coding Tools Enabling Data...

Over 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution.

The security shortcomings have been collectively named IDEsaster by security researcher Ari Marzouk (MaccariTA). They affect popular IDEs and extensions such as Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, and Cline, among others. Of these, 24 have been assigned CVE identifiers.

"I think the fact that multiple universal attack chains affected each and every AI IDE tested is the most surprising finding of this research," Marzouk told The Hacker News.

"All AI IDEs (and coding assistants that integrate with them) effectively ignore the base software (IDE) in their threat model. They treat their features as inherently safe because they've been there for years. However, once you add AI agents that can act autonomously, the same features can be weaponized into data exfiltration and RCE primitives."

At its core, these issues chain three different vectors that are common to AI-driven IDEs -

The highlighted issues are different from prior attack chains that have leveraged prompt injections in conjunction with vulnerable tools (or abusing legitimate tools to perform read or write actions) to modify an AI agent's configuration to achieve code execution or other unintended behavior.

What makes IDEsaster notable is that it takes prompt injection primitives and an agent's tools, using them to activate legitimate features of the IDE to result in information leakage or command execution.

Context hijacking can be pulled off in myriad ways, including through user-added context references that can take the form of pasted URLs or text with hidden characters that are not visible to the human eye, but can be parsed by the LLM. Alternatively, the context can be polluted by using a Model Context Protocol (MCP) server through tool poisoning or rug pulls, or when a legitimate MCP server parses attacker-controlled input from an external source.

Some of the identified attacks made possible by the new exploit chain is as follows -

It's worth noting that the last two examples hinge on an AI agent being configured to auto-approve file writes, which subsequently allows an attacker with the ability to influence prompts to cause malicious workspace settings to be written. But given that this beh

Source: The Hacker News

🏷️ Tags

securityhackcveattackthreat

More from Cybersecurity

Beware: Paypal Subscriptions Abused To Send Fake Purchase Emails

Beware: Paypal Subscriptions Abused To Send Fake Purchase Emails

2025-12-14 0
Cybervolk’s Ransomware Debut Stumbles On Cryptography Weakness

Cybervolk’s Ransomware Debut Stumbles On Cryptography Weakness

2025-12-13 0
Cisa Adds Actively Exploited Sierra Wireless Router Flaw Enabling...

Cisa Adds Actively Exploited Sierra Wireless Router Flaw Enabling...

2025-12-13 0
Apple Issues Security Updates After Two Webkit Flaws Found...

Apple Issues Security Updates After Two Webkit Flaws Found...

2025-12-13 0

Trending

1

CVE-2025-61481: Critical Remote Code Execution Vulnerability in MikroTik RouterOS & SwitchOS

2025-10-27 • 189 views
2

CVE-2025-43939: Dell Unity OS Command Injection (High)

2025-10-30 • 148 views
3

Google disputes false claims of massive Gmail data breach

2025-10-30 • 130 views
4

Microsoft: DNS outage impacts Azure and Microsoft 365 services

2025-10-30 • 88 views
5

3.5B Accounts, 1 Critical Flaw: Meta Closes WhatsApp Data-Harvesting

2025-11-25 • 81 views