AI IDE Security Vulnerabilities Unleash “IDEsaster” Threat: Data Exfiltration and RCE Now a Reality
Security researchers have uncovered over thirty critical vulnerabilities within popular AI-powered Integrated Development Environments (IDEs), collectively dubbed “IDEsaster.” These flaws create new attack vectors that combine prompt injection techniques with legitimate IDE features, enabling attackers to exfiltrate sensitive data and execute remote code. The findings highlight a significant and evolving threat landscape for software development environments that integrate artificial intelligence.
The research, spearheaded by security analyst Ari Marzouk, identified security shortcomings in widely used IDEs and extensions such as Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, and Cline. A substantial portion of these issues, specifically 24, have been assigned CVE identifiers, underscoring their severity and widespread impact. The alarming discovery suggests that AI development tools, intended to enhance productivity, are inadvertently opening doors for sophisticated cyberattacks.
The IDEsaster Attack Chain Explained
According to Marzouk, the core of the IDEsaster vulnerability lies in the exploitation of three fundamental elements common to AI-driven IDEs. Firstly, attackers can bypass the protective guardrails of Large Language Models (LLMs) to hijack the context, forcing the AI to execute the attacker’s maligned commands. This is commonly known as prompt injection.
Secondly, the vulnerabilities leverage the ability of AI agents to perform certain actions without explicit user interaction, through auto-approved tool calls. This allows for autonomous execution of malicious operations. Thirdly, these elements are chained to trigger legitimate features within the IDE itself. These features, when manipulated, can be weaponized to breach security boundaries, leading to the leakage of sensitive information or the execution of arbitrary commands on the developer’s machine.
This attack chain differs from previous ones by focusing on using prompt injection and AI agent tools to activate inherent IDE functionalities for malicious purposes, rather than solely manipulating AI agent configurations. The ability of AI agents to autonomously execute actions on codebases and development environments presents a novel and potent threat.
Context Hijacking and Its Implications
Context hijacking, a crucial component of the IDEsaster attack, can be achieved through various methods. One common technique involves manipulating user-added context references, such as pasted URLs or text containing hidden characters that are imperceptible to human users but can be parsed by the LLM. Additionally, context can be poisoned by compromising Model Context Protocol (MCP) servers, through techniques like tool poisoning or rug pulls. Even legitimate MCP servers become vulnerable when they process attacker-controlled input from external sources.
Marzouk detailed several attack scenarios enabled by this vulnerability chain:
Data Exfiltration via Sensitive File Reading: In instances affecting Cursor, Roo Code, JetBrains Junie, GitHub Copilot, Kiro.dev, and Claude Code, prompt injection allows attackers to read sensitive files using legitimate or vulnerable tools. The attacker then crafts a JSON file hosted on a compromised domain. When the IDE attempts to load this JSON schema, it makes a GET request, inadvertently leaking the sensitive file data.
Remote Code Execution via IDE Settings Modification: Vulnerabilities in GitHub Copilot, Cursor, Roo Code, Zed.dev, and Claude Code enable prompt injection to maliciously alter IDE settings files, such as “.vscode/settings.json” or “.idea/workspace.xml.” By setting specific configuration paths like “php.validate.executablePath” or “PATH_TO_GIT” to point to malicious executables, attackers can achieve code execution.
Code Execution via Workspace Configuration Overrides: Vulnerabilities in GitHub Copilot, Cursor, and Roo Code allow prompt injection to modify workspace configuration files (*.code-workspace). By overriding multi-root workspace settings, attackers can achieve code execution. This often relies on AI agents being configured to auto-approve file writes, allowing the injection of malicious workspace settings without direct user intervention.
Recommendations and Broader Security Concerns
To mitigate the risks associated with IDEsaster and similar vulnerabilities, Marzouk strongly advises developers to exercise caution. It is recommended to use AI IDEs and agents only with trusted projects and files, as malicious content within code, README files, or even file names can serve as prompt injection vectors. Furthermore, connecting only to trusted MCP servers and diligently monitoring them for any changes is crucial, as even secure servers can be compromised.
Developers creating AI agents and IDEs are encouraged to implement the principle of least privilege for LLM tools, minimize potential prompt injection vectors, harden system prompts, and utilize sandboxing for command execution. Comprehensive security testing for path traversal, information leakage, and command injection is also paramount.
These findings coincide with the discovery of other significant vulnerabilities in AI coding tools. These include a command injection flaw in OpenAI Codex CLI (CVE-2025-61260) that leverages implicitly trusted commands configured via MCP servers, and indirect prompt injection vulnerabilities in Google Antigravity that could lead to credential harvesting and data exfiltration. A new class of vulnerability named PromptPwnd also targets AI agents connected to GitHub Actions or GitLab CI/CD pipelines, capable of tricking agents into executing privileged tools for information leaks or code execution.
As agentic AI tools become more prevalent in enterprise environments, these vulnerabilities underscore the expanded attack surface introduced by AI integration. The inability of LLMs to consistently differentiate between user instructions and malicious embedded prompts within ingested data presents a continuous challenge. The development of AI tools necessitates a “Secure for AI” paradigm, ensuring security is integrated by design and anticipates potential AI-specific abuse vectors.
The ongoing evolution of AI in development tools necessitates a proactive approach to security. Future efforts will likely focus on developing more robust LLM defenses, enhancing the security of IDE integrations, and fostering a security-conscious culture among developers. The industry must remain vigilant as these technologies continue to advance, ensuring that innovation does not come at the cost of fundamental security principles.