Over 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution.
The security shortcomings have been collectively named IDEsaster by security researcher Ari Marzouk (MaccariTA). They affect popular IDEs and extensions such as Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, and Cline, among others. Of these, 24 have been assigned CVE identifiers.
“I think the fact that multiple universal attack chains affected each and every AI IDE tested is the most surprising finding of this research,” Marzouk told The Hacker News.
“All AI IDEs (and coding assistants that integrate with them) effectively ignore the base software (IDE) in their threat model. They treat their features as inherently safe because they’ve been there for years. However, once you add AI agents that can act autonomously, the same features can be weaponized into data exfiltration and RCE primitives.”
At its core, these issues chain three different vectors that are common to AI-driven IDEs –
- Bypass a large language model’s (LLM) guardrails to hijack the context and perform the attacker’s bidding (aka prompt injection)
- Perform certain actions without requiring any user interaction via an AI agent’s auto-approved tool calls
- Trigger an IDE’s legitimate features that allow an attacker to break out of the security boundary to leak sensitive data or execute arbitrary commands
The highlighted issues are different from prior attack chains that have leveraged prompt injections in conjunction with vulnerable tools (or abusing legitimate tools to perform read or write actions) to modify an AI agent’s configuration to achieve code execution or other unintended behavior.
What makes IDEsaster notable is that it takes prompt injection primitives and an agent’s tools, using them to activate legitimate features of the IDE to result in information leakage or command execution.
(Source: Hackers news)
