Skip to main content
Mallory
Mallory

Critical Vulnerabilities in AI-Powered Coding Tools Enable Data Exfiltration and Remote Code Execution

attack vectorsremote code executiondata exfiltrationunauthorized tool callsexploitvulnerabilitysecurity analysiscoding assistantsAIautomationGitHub CopilotCVEsecurity postureattack surfaceelevated privileges
Updated December 8, 2025 at 02:14 PM4 sources

Get Ahead of Threats Like This

Know if you're exposed — before adversaries strike.

Security researchers have disclosed over 30 vulnerabilities in a range of AI-powered Integrated Development Environments (IDEs) and coding assistants, collectively named 'IDEsaster.' These flaws, affecting popular tools such as Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, and Cline, allow attackers to chain prompt injection techniques with legitimate IDE features to achieve data exfiltration and remote code execution (RCE). The vulnerabilities exploit the fact that AI agents integrated into these environments can autonomously perform actions, bypassing traditional security boundaries and enabling attackers to hijack context, trigger unauthorized tool calls, and execute arbitrary commands. At least 24 of these vulnerabilities have been assigned CVE identifiers, highlighting the widespread and systemic nature of the risk.

The research emphasizes that the integration of AI agents into development workflows introduces new attack surfaces, as these agents often operate with elevated privileges and insufficient threat modeling. Notably, the issues differ from previous prompt injection attacks by leveraging the AI agent's ability to activate legitimate IDE features for malicious purposes. Additional reporting confirms that critical CVEs have been issued for these tools, and broader industry analysis warns that nearly half of all AI-generated code contains exploitable flaws, with a particularly high vulnerability rate in Java. The findings underscore the urgent need for organizations using AI-driven development tools to reassess their security postures and apply available patches to mitigate the risk of data theft and RCE attacks.

Related Entities

Vulnerabilities

Command Injection in GitHub Copilot and Visual Studio via Prompt Injection (CVE-2025-53773)RCE via AI Agent Permission Bypass in Zed Agent Panel (CVE-2025-55012)RCE via VS Code settings write in Roo Code (CVE-2025-53536)RCE via Indirect Prompt Injection in Cursor AI Code Editor (<1.3.9) (CVE-2025-54130)CVE-2025-58335CVE-2025-49150Prompt Injection File Read in Roo Code search_files Tool (CVE-2025-53097)Improper access control leading to network code execution in GitHub Copilot for Visual Studio Code (CVE-2025-64660)Arbitrary Code Execution via Malicious .code-workspace Writes in Roo Code (CVE-2025-58372)RCE via Workspace Prompt Injection in Cursor <=1.6 (CVE-2025-61590)

Malware

Shai-Hulud worm

Sources

the hacker news
⚡ Weekly Recap: USB Malware, React2Shell, WhatsApp Worms, AI IDE Bugs & More
December 8, 2025 at 12:00 AM
the hacker news
Researchers Uncover 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attacks
December 6, 2025 at 12:00 AM
vulnu
🎓️ Vulnerable U | #145
December 5, 2025 at 12:00 AM
the hacker news
5 Threats That Reshaped Web Security This Year [2025]
December 4, 2025 at 12:00 AM

Related Stories

Novel Vulnerabilities and Attack Vectors in AI-Powered IDEs and Coding Assistants

A new class of vulnerabilities, termed "IDEsaster," has been discovered affecting a wide range of AI-powered Integrated Development Environments (IDEs) and coding assistants. Research revealed that over 30 security vulnerabilities, including 24 assigned CVEs, impact more than 10 leading products such as GitHub Copilot, Claude Code, and others, potentially exposing millions of users. The vulnerabilities stem from the integration of AI agents into IDEs, which were not originally designed with such capabilities in mind, leading to attack chains that can result in data exfiltration and remote code execution. Major vendors have issued advisories and updated documentation in response to these findings. Further research highlights the risks associated with the Model Context Protocol (MCP) sampling feature, commonly used in coding copilot applications. Without adequate safeguards, malicious MCP servers can exploit this feature to perform resource theft, hijack conversations, exfiltrate sensitive data, and covertly invoke tools. Proof-of-concept attacks demonstrate that the implicit trust model and lack of robust security controls in MCP can be leveraged for persistent and covert attacks, underscoring the urgent need for improved security measures in AI-driven development environments.

3 months ago
Security Risks and Vulnerabilities in AI-Powered Developer Tools and Extensions

Security Risks and Vulnerabilities in AI-Powered Developer Tools and Extensions

Security researchers have identified significant risks in AI-powered developer tools and browser extensions, highlighting how new AI capabilities can introduce novel attack vectors. In the case of Anthropic's Claude Chrome extension, researchers at Zenity Labs demonstrated that the extension, which allows the AI to browse and interact with websites on behalf of users, can expose sensitive data and perform actions using the user's credentials. This creates opportunities for indirect prompt injection attacks, where malicious instructions embedded in web content can manipulate the AI to perform harmful actions such as deleting files or sending unauthorized messages. The extension's persistent login state and ability to access private services like Google Drive and Slack further amplify the risk, as attackers could leverage the AI's access for lateral movement within organizations. Similarly, security concerns have been raised about AI-powered integrated development environments (IDEs) forked from Microsoft VSCode, such as Cursor and Windsurf. These IDEs recommend extensions that do not exist in the OpenVSX registry, leaving unclaimed namespaces that threat actors could exploit to distribute malicious code. Researchers from Koi Security reported that some vendors responded by removing vulnerable recommendations, but others have yet to act. These findings underscore the urgent need for both vendors and users to reassess the security implications of integrating AI into development and productivity tools, as traditional security models may not adequately address the unique risks posed by AI-driven automation and extension ecosystems.

2 months ago

Critical Vulnerabilities in Cline Bot AI Coding Assistant Enable Data Theft and Code Execution

A security audit conducted by Mindgard uncovered four major vulnerabilities in the popular Cline Bot AI coding assistant, which has over 3.8 million installs and more than 1.1 million daily active users. The flaws include the potential for attackers to steal sensitive information such as API keys, execute unauthorized code on a developer's machine, bypass internal safety checks, and leak confidential details about the AI model itself. The attack vector involves prompt injection, where malicious instructions are hidden in source code files; when Cline Bot analyzes such files, it can be manipulated into performing dangerous actions without the user's knowledge or consent. These findings highlight significant risks associated with the widespread adoption of AI coding assistants, as even trusted tools can be exploited to compromise developer environments. The vulnerabilities were identified rapidly—within two days of the audit's start—demonstrating both the urgency and the ease with which such flaws can be discovered and potentially abused. The research underscores the need for rigorous security assessments of AI-powered development tools and increased awareness of the risks posed by prompt injection and insufficient safety controls in these systems.

3 months ago

Get Ahead of Threats Like This

Mallory continuously monitors global threat intelligence and correlates it with your attack surface. Know if you're exposed — before adversaries strike.