Critical Vulnerabilities in GitHub Copilot, Gemini CLI, and Claude Expose Millions to Security Risks
The integration of AI-driven tools like GitHub Copilot, Gemini CLI, and Claude Code into software development has significantly enhanced productivity. These tools have evolved from simple code autocompletion features to autonomous agents capable of executing complex tasks. However, this rapid advancement has introduced critical security vulnerabilities, collectively termed IDEsaster, which exploit the interaction between these AI agents and the underlying features of Integrated Development Environments (IDEs) such as Visual Studio Code and JetBrains.
Understanding the IDEsaster Vulnerability
The IDEsaster vulnerability class leverages the inherent features of IDEs to perform malicious actions. Unlike traditional vulnerabilities that target specific flaws within a tool, this attack chain manipulates IDE configuration files and workspace settings to execute unauthorized commands. By exploiting these foundational elements, attackers can bypass standard security measures, leading to data exfiltration and remote code execution.
Remote Code Execution via IDE Settings Overwrite
One of the most severe manifestations of the IDEsaster vulnerability involves the manipulation of IDE configuration files to achieve Remote Code Execution (RCE). In this scenario, an attacker uses prompt injection techniques to deceive the AI agent into modifying core settings files, such as `.vscode/settings.json` in Visual Studio Code or `.idea/workspace.xml` in JetBrains IDEs. This method targets global IDE settings, expanding the attack surface beyond agent-specific configurations.
For instance, in Visual Studio Code, an attacker can instruct the AI agent to edit a seemingly benign file, like a Git hook sample, by inserting malicious code. Subsequently, the agent is directed to modify the `php.validate.executablePath` setting to point to this newly created executable, effectively enabling the execution of arbitrary code.
Vulnerability References and CVEs
The research into the IDEsaster vulnerability class has identified over 30 separate vulnerabilities, resulting in 24 Common Vulnerabilities and Exposures (CVEs) assigned across various products. The following table summarizes the affected products, vulnerability types, and their corresponding CVEs:
| Product | Vulnerability Type | CVE / Status |
|——————-|——————————–|————————|
| GitHub Copilot | Remote JSON Schema | Fixed (No CVE) |
| GitHub Copilot | IDE Settings Overwrite | CVE-2025-53773 |
| GitHub Copilot | Multi-Root Workspace Settings | CVE-2025-64660 |
| Cursor | Remote JSON Schema | CVE-2025-49150 |
| Cursor | IDE Settings Overwrite | CVE-2025-54130 |
| Cursor | Multi-Root Workspace Settings | CVE-2025-61590 |
| Roo Code | Remote JSON Schema | CVE-2025-53097 |
| Roo Code | IDE Settings Overwrite | CVE-2025-53536 |
| Roo Code | Multi-Root Workspace Settings | CVE-2025-58372 |
| Zed.dev | IDE Settings Overwrite | CVE-2025-55012 |
| JetBrains Junie | Remote JSON Schema | CVE-2025-58335 |
| Kiro.dev | Remote JSON Schema | Fixed (No CVE) |
| Kiro.dev | IDE Settings Overwrite | Fixed (No CVE) |
| Claude Code | Remote JSON Schema | Acknowledged (Warning Added) |
| Claude Code | IDE Settings Overwrite | Acknowledged (Warning Added) |
Implications for Developers and Organizations
The discovery of these vulnerabilities has significant implications for developers and organizations relying on AI-driven coding assistants. The ability of attackers to manipulate IDE settings through AI agents poses a substantial risk, potentially leading to unauthorized access, data breaches, and system compromises. The widespread adoption of these tools means that millions of users are potentially affected, underscoring the urgency of addressing these security flaws.
Mitigation Strategies
To mitigate the risks associated with the IDEsaster vulnerabilities, developers and organizations should consider the following strategies:
1. Update and Patch: Ensure that all AI-driven tools and IDEs are updated to the latest versions, incorporating patches that address known vulnerabilities.
2. Review and Restrict Permissions: Carefully review the permissions granted to AI agents within the development environment. Restrict their ability to modify critical configuration files and execute arbitrary code.
3. Implement Input Validation: Strengthen input validation mechanisms to prevent prompt injection attacks. Ensure that AI agents process only sanitized and trusted inputs.
4. Monitor and Audit: Regularly monitor and audit the activities of AI agents within the development environment to detect and respond to any unauthorized actions promptly.
5. Educate and Train: Provide training to developers on the potential risks associated with AI-driven tools and the importance of adhering to security best practices.
Conclusion
The integration of AI agents into software development has brought about remarkable efficiencies but also introduced new security challenges. The IDEsaster vulnerabilities highlight the need for a balanced approach that embraces innovation while prioritizing security. By implementing robust mitigation strategies and fostering a culture of security awareness, developers and organizations can harness the benefits of AI-driven tools without compromising the integrity of their development environments.
