IDEsaster: 30+ Vulnerabilities Across All Major AI IDEs Chain Prompt Injection to RCE via IDE Settings Overwrite

Researcher Ari Marzouk finds 30+ vulnerabilities (24 CVEs) across all tested AI IDEs: Cursor, GitHub Copilot, Claude Code, Windsurf. Novel attack chain — prompt injection via repo files to IDE settings overwrite to RCE — affects 1.8M developers.

Cursor / GitHub Copilot / Claude Code / Multiple AI IDEsTool execution / MCPPrompt injection chain / IDE remote code executionAI IDE tool layer / base IDE features (VS Code settings, JetBrains workspace.xml, terminal execution)

What happened

Marzouk embedded hidden instructions in repository files (READMEs, .vscode/settings.json overrides, JSON schema files). When a developer opened the repository, the AI agent followed injected instructions to modify IDE configuration files, and the IDE's built-in execution features ran attacker-specified commands — no explicit user approval required for the AI tool chain.

Why it matters

Demonstrated data exfiltration via Remote JSON Schema attacks (automatic GET requests to attacker-controlled servers triggered on file open in VS Code, JetBrains, and Zed.dev) and remote code execution via IDE Settings Overwrite (.vscode/settings.json → arbitrary terminal commands). 1.8 million developers across affected platforms.

Missing authorization check

AI coding agents must require explicit authorization before modifying IDE configuration files with code execution implications. Tool calls that write to IDE settings with terminal or build hooks must be gated with a signed receipt — modifying build configuration is equivalent to running code and should be treated as such.

Would PP block it?

PP enforced at the IDE tool layer would gate the consequential step in the IDEsaster chain: any tool call writing to .vscode/settings.json, .idea/workspace.xml, or equivalent config with terminal or build execution hooks should require a signed authority receipt — breaking the RCE chain. The Remote JSON Schema data exfiltration vector (automatic HTTP GET on file open) fires before any AI tool call and is outside PP's enforcement surface, requiring vendor-side controls. Full coverage: PP for settings-write tool calls, vendor-side controls for automatic schema fetching on file open.

Incident analysis

Timeline and technical read

Timeline

2025-06-01
Ari Marzouk begins 6-month IDEsaster research project, testing all major AI IDEs
2025-09-01
Responsible disclosure begins across affected vendors; 90+ day disclosure periods initiated
2025-12-06
IDEsaster published: 30+ vulnerabilities, 24 CVEs across 10+ AI IDEs, 1.8M developers affected
2025-12-07
The Hacker News, GBHackers, and security outlets cover the research; vendor patches begin rolling out
2026-06-17
IDEsaster resurfaces strongly across security media with new vendor-specific analysis and continued coverage

Technical breakdown

Novel attack class 'Prompt Injection → Tools → Base IDE Features': attackers embed hidden instructions in repository files AI agents scan (READMEs, configs, JSON schemas). The AI treats these as authoritative and uses legitimate tool calls to modify IDE settings files that have terminal or build execution hooks.
Remote JSON Schema attacks (CVE-2025-49150, CVE-2025-53097, CVE-2025-58335): VS Code, JetBrains, and Zed.dev automatically fetch JSON schemas via GET requests when opening certain file types. Attacker-controlled schema endpoints receive requests with workspace metadata, enabling data exfiltration before any AI tool call occurs.
IDE Settings Overwrite vulnerabilities (CVE-2025-53773, CVE-2025-54130, CVE-2025-55012): AI agents instructed via prompt injection modify .vscode/settings.json or .idea/workspace.xml to set terminal environment variables or build task commands to attacker-controlled executables — RCE on the developer's machine.
100% of tested applications were vulnerable because AI agents were granted read/write access to IDE configuration files without any authorization boundary between the agent tool layer and base IDE execution features.
Vendor responses were fragmented: GitHub Copilot and Kiro.dev patched; Cursor received CVE assignments; Claude Code acknowledged but addressed with a security warning only, leaving enforcement to developer judgment.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: Tool-call layer (IDE settings writes with execution implications)
Still needs: Prompt injection via repository files (pre-tool-call stage); automatic HTTP requests triggered by IDE schema resolution on file open (rendering-layer behavior before any agent action)
Receipt required for: Any AI agent tool call that modifies IDE settings, build configuration, or workspace files with terminal, build, or command execution hooks

PP's tool-call gate would require a signed receipt before AI tools modify IDE settings files with execution implications, blocking the Settings Overwrite RCE vector. PP does not prevent the initial prompt injection from repository files — that is an AI model trust boundary issue.

Lessons for teams

Repository files must be treated as untrusted input by AI coding agents — READMEs, configs, and JSON schemas are an adversarially-controlled surface in any open or third-party codebase.
AI agent tool calls that modify IDE settings with execution implications are consequential actions: they should require explicit authorization equivalent to running code directly.
Automatic IDE behaviors (schema fetching, background indexing) create pre-agent exfiltration channels that fire before any AI tool call and outside any authorization gate — these require vendor-side controls, not just agent-layer gates.
A security warning is not a gate: addressing a vulnerability with a warning rather than a technical control leaves the enforcement burden on developers who may not encounter or read the warning in time.

Related incidents and controls

High2026-05-07

TrustFall Coding Agent Security Flaw Enables One-Click RCE

Critical2026-05-08

Cline AI agent CVE-2026-44211 allows unauthenticated WebSocket hijack and RCE

Critical2026-05-12

Claude Code RCE — malicious deeplink injects SessionStart hook, executes arbitrary commands on victim machine with no additional interaction

Critical2026-06-08

Agentjacking: Attackers inject malicious instructions into fake Sentry errors via public DSN, hijacking Claude Code, Cursor, and Codex with 85% success rate across 2,388 organizations

Tool-Call Gate Why governance must be external

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop