A recent disclosure has unearthed over 30 security vulnerabilities in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs), paving the way for data exfiltration and remote code execution through a combination of prompt injection primitives and legitimate features.
Security researcher Ari Marzouk (MaccariTA) has coined these collective vulnerabilities as IDEsaster. The impacted IDEs and extensions include Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, and Cline, among others, with 24 of them already assigned CVE identifiers.
“The most surprising finding of this research is that multiple universal attack chains affected each and every AI IDE tested,” Marzouk shared with The Hacker News.
He further explained, “All AI IDEs and coding assistants integrating with them tend to overlook the base software (IDE) in their threat model, assuming their features are inherently safe due to their longevity. However, the introduction of AI agents capable of autonomous actions can weaponize these features for data exfiltration and remote code execution.”
At the heart of these vulnerabilities lie three common vectors in AI-driven IDEs:
- Bypassing a large language model’s (LLM) guardrails to manipulate the context and execute malicious commands (prompt injection)
- Executing actions without user interaction via an AI agent’s auto-approved tool calls
- Exploiting an IDE’s legitimate features to breach security boundaries, leading to data leakage or unauthorized command execution
These issues differ from previous attack chains that relied on prompt injections alongside vulnerable tools or the abuse of legitimate tools to manipulate an AI agent’s configuration for code execution or other unintended actions.
What sets IDEsaster apart is its utilization of prompt injection primitives and agent tools to activate legitimate IDE features, resulting in information leakage or command execution.
Context hijacking can be executed through various means, including user-added context references like pasted URLs or text with concealed characters invisible to the naked eye but interpretable by the LLM. Other methods involve polluting the context using a Model Context Protocol (MCP) server through tool poisoning or rug pulls, or the exploitation of a legitimate MCP server parsing attacker-controlled input from an external source.
Some of the identified attacks made possible by this new exploit chain include:
- CVE-2025-49150 (Cursor), CVE-2025-53097 (Roo Code), CVE-2025-58335 (JetBrains Junie), GitHub Copilot (no CVE), Kiro.dev (no CVE), and Claude Code (addressed with a security warning) – Utilizing prompt injection to read sensitive files using legitimate (“read_file”) or vulnerable tools (“search_files” or “search_project”) and writing JSON files via legitimate tools (“write_file” or “edit_file”) with a remote JSON schema hosted on an attacker-controlled domain, leading to data leakage upon the IDE making a GET request
- CVE-2025-53773 (GitHub Copilot), CVE-2025-54130 (Cursor), CVE-2025-53536 (Roo Code), CVE-2025-55012 (Zed.dev), and Claude Code (addressed with a security warning) – Leveraging prompt injection to edit IDE settings files (“.vscode/settings.json” or “.idea/workspace.xml”) for code execution by setting “php.validate.executablePath” or “PATH_TO_GIT” to an executable file path containing malicious code
- CVE-2025-64660 (GitHub Copilot), CVE-2025-61590 (Cursor), and CVE-2025-58372 (Roo Code) – Employing prompt injection to edit workspace configuration files (*.code-workspace) and override multi-root workspace settings for code execution
It’s imperative to note that the last two examples rely on an AI agent being configured to auto-approve file writes, enabling an attacker to influence prompts and write malicious workspace settings. This auto-approval behavior for in-workspace files facilitates arbitrary code execution without user interaction or workspace reopening.
With prompt injections and jailbreaks serving as the initial step in the attack chain, Marzouk recommends the following measures:
- Utilize AI IDEs and agents only with trusted projects and files. Malicious rule files, instructions embedded in source code or other files (README), and even file names can serve as prompt injection vectors.
- Connect exclusively to trusted MCP servers and regularly monitor these servers for alterations (even trusted servers can be compromised). Review and comprehend the data flow of MCP tools (e.g., a legitimate MCP tool might extract information from an attacker-controlled source like a GitHub PR).
- Manually inspect sources you add (e.g., via URLs) for hidden instructions (HTML comments, CSS-hidden text, invisible unicode characters, etc.).
Developers of AI agents and AI IDEs are urged to apply the principle of least privilege to LLM tools, minimize prompt injection vectors, fortify system prompts, utilize sandboxing for command execution, conduct security assessments for path traversal, information leakage, and command injection.
These revelations coincide with the unearthing of several vulnerabilities in AI coding tools that could have significant ramifications:
- An OpenAI Codex CLI vulnerability (CVE-2025-61260) rooted in a command injection flaw, capitalizing on the program’s implicit trust in commands configured through MCP server entries and executing them upon startup without user consent. This vulnerability could lead to arbitrary command execution if a malicious actor tampers with the repository’s “.env” and “./.codex/config.toml” files.
- An indirect prompt injection in Google Antigravity utilizing a poisoned web source to manipulate Gemini into harvesting credentials and sensitive code from a user’s IDE, subsequently exfiltrating the data using a browser subagent to access a malicious site.
- Multiple vulnerabilities in Google Antigravity culminating in data exfiltration and remote command execution through indirect prompt injections, as well as leveraging a malicious trusted workspace to embed a persistent backdoor for executing arbitrary code each time the application is launched.
- A novel class of vulnerability dubbed PromptPwnd targeting AI agents connected to vulnerable GitHub Actions (or GitLab CI/CD pipelines) via prompt injections to deceive them into executing built-in privileged tools, leading to information leaks or code execution.
As AI-powered tools gain traction in enterprise environments, these discoveries underscore how AI tools expand the attack surface of development machines, often by exploiting an LLM’s inability to differentiate between user-provided task instructions and external content, which may harbor malicious prompts.
“Any repository utilizing AI for issue triage, PR labeling, code suggestions, or automated responses is susceptible to prompt injection, command injection, secret exfiltration, repository compromise, and upstream supply chain compromise,” noted Aikido researcher Rein Daelman.
Marzouk emphasized that these findings underscore the necessity of “Secure for AI,” a new paradigm aimed at addressing security challenges posed by AI features to ensure products are not only secure by default and design but also consider potential abuses of AI components over time.
“This exemplifies why the ‘Secure for AI’ principle is crucial,” Marzouk emphasized. “Integrating AI agents into existing applications, such as IDEs in my case and GitHub Actions in their case, introduces new emerging risks.”
