Researchers have disclosed over 30 security vulnerabilities in AI-powered Integrated Development Environments (IDEs), collectively dubbed “IDEsaster” by Ari Marzouk (MaccariTA). These flaws exploit prompt injection techniques combined with legitimate IDE features to enable data exfiltration and remote code execution (RCE).
The issues impact popular IDEs and extensions such as Cursor, Windsurf, Kiro.dev, GitHub Copilot, Zed.dev, Roo Code, Junie, and Cline. Of the reported flaws, 24 have received CVE identifiers.
Marzouk noted that the most surprising finding was the presence of universal attack chains across all tested AI IDEs. He explained that these tools often ignore the underlying IDE in their threat models, assuming long-standing features are safe. However, when combined with autonomous AI agents, these features can be weaponized for data theft and RCE.
The vulnerabilities stem from three common attack vectors in AI-driven IDEs:
- Prompt Injection – Bypassing LLM guardrails to hijack context and execute malicious commands.
- Auto-Approved Actions – Allowing AI agents to perform tasks without user interaction.
- Feature Exploitation – Leveraging legitimate IDE capabilities to escape security boundaries and leak sensitive data or run arbitrary code.
Unlike previous attacks that relied on modifying AI agent configurations, these chains exploit the interplay between AI autonomy and trusted IDE features, creating new avenues for compromise.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
