Full Report
Over 30 security vulnerabilities have been disclosed in various artificial intelligence (AI)-powered Integrated Development Environments (IDEs) that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution. The security shortcomings have been collectively named IDEsaster by security researcher Ari Marzouk (MaccariTA). They affect popular
Analysis Summary
# Vulnerability: IDEsaster - Prompt Injection Leading to Data Exfiltration and RCE in AI-Powered IDEs
## CVE Details
- CVE ID: Multiple assigned, examples include `CVE-2025-49150`, `CVE-2025-53097`, `CVE-2025-58335`, `CVE-2025-53773`, `CVE-2025-54130`, `CVE-2025-53536`, `CVE-2025-55012`, `CVE-2025-64660` (and others, total 24 assigned).
- CVSS Score: Not specified in the text for overall score, severity implied as High due to RCE/Data Exfiltration capability.
- CWE: Not explicitly stated, related to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') variants concerning LLM contexts and improper tool control validation.
## Affected Systems
- Products: Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, Cline, and other AI-powered IDEs/extensions.
- Versions: Specific vulnerable versions are not listed, but the issue affects numerous popular AI IDEs.
- Configurations: Systems utilizing AI agent features that have auto-approved tool calls and legitimate IDE features that accept external context.
## Vulnerability Description
The collective security flaws, dubbed "IDEsaster," exploit the trust mechanism between AI agents (LLMs) integrated into IDEs and the legitimate, pre-existing features of the IDE itself. The attack chain leverages three components:
1. **Prompt Injection:** Bypassing LLM guardrails to hijack context and force malicious actions.
2. **Auto-Approved Tool Calls:** Exploiting AI agent tooling where actions do not require explicit user interaction.
3. **IDE Feature Activation:** Weaponizing legitimate IDE features (like file reading/writing or configuration editing) based on the injected prompt.
Context hijacking can occur via user-pasted URLs/text containing hidden characters, or through tool poisoning/rug pulls affecting Model Context Protocol (MCP) servers parsing attacker-controlled data. The successful chaining of these steps leads to data exfiltration or Remote Code Execution (RCE).
## Exploitation
- Status: PoC methods described via attack scenarios; likely **PoC available** based on the detailed description of functional attack chains. Status explicitly confirms attack primitives exist.
- Complexity: Implied **Medium** due to the requirement to chain three distinct vectors (Prompt Injection + Tool Use + Feature Abuse).
- Attack Vector: Typically **Network** (via crafted context/input) leading to **Local** execution or data access.
## Impact
- Confidentiality: **High** (Enables data exfiltration of sensitive files).
- Integrity: **High** (Enables arbitrary command execution/RCE via configuration modification).
- Availability: Potential impact via RCE, though data exfiltration is the primary described result.
## Remediation
### Patches
- Specific patch versions are not detailed in the provided text. Affected vendors are implied to be issuing updates.
- Claude Code was addressed with a **security warning** rather than a formal patch reference found in the text snippet.
### Workarounds
- **User Caution:** Be mindful of context provided to AI assistants (e.g., URLs, pasted code/text), as this can contain hidden elements that poison the LLM context.
- **Disable/Restrict AI Features:** If necessary, temporarily restrict or disable highly autonomous AI tool-calling features in the affected IDEs until verified patches are applied.
## Detection
- **Indicators of Compromise (IoCs):**
1. IDE attempting file reads (`read_file` tool usage) followed by write operations to unexpected external (attacker-controlled) endpoints via custom protocols (e.g., leaking data via legitimate write operations that embed remote loading elements).
2. IDE configuration files (`.vscode/settings.json`, `.idea/workspace.xml`) being modified to execute arbitrary code paths (e.g., changing `php.validate.executablePath` or `PATH_TO_GIT` to malicious executables).
- **Detection Methods and Tools:** Monitoring outbound network traffic originating from the IDE process for unusual connections to external domains initiated during AI command execution, especially after processing external context. Specific IDE vendor security updates should be tracked for targeted protection definitions.
## References
- Vendor advisories: Not explicitly detailed, but patching implies vendor acknowledgment.
- Relevant links - defanged:
- Researcher Disclosure: hxxps://maccarita.com/posts/idesaster/
- Cursor CVE: hxxps://www.cve.org/CVERecord?id=CVE-2025-49150
- Roo Code CVE: hxxps://www.cve.org/CVERecord?id=CVE-2025-53097
- Junie CVE: hxxps://www.cve.org/CVERecord?id=CVE-2025-58335
- GitHub Copilot CVE: hxxps://www.cve.org/CVERecord?id=CVE-2025-53773