A groundbreaking security research project has uncovered a new class of vulnerabilities affecting virtually every major AI-powered integrated development environment (IDE) and coding assistant on the market.
Dubbed “IDEsaster,” this attack chain exploits fundamental features of underlying IDE platforms to exfiltrate data and execute remote code, impacting millions of developers worldwide.
The research, conducted over six months, identified over 30 separate security vulnerabilities across 10+ market-leading products, including GitHub Copilot, Cursor, Windsurf, and Kiro.dev, Zed.dev, Roo Code, JetBrains Junie, Cline, Gemini CLI, and Claude Code.
The findings resulted in 24 CVEs being assigned and prompted security advisories from major vendors including AWS (AWS-2025-019).
The IDEsaster Attack Chain
Unlike previously disclosed vulnerabilities that targeted specific application components, IDEsaster leverages features from the base IDE layer itself.
This fundamental approach means that 100% of tested AI IDEs and coding assistants integrating with popular IDEs were found vulnerable to this new attack chain.
The novel attack chain follows three stages: Prompt Injection → Tools → Base IDE Features. Attackers first hijack context through various prompt injection vectors including malicious rule files, MCP servers, deeplinks, or even file names.
The AI agent’s tools are then used to perform actions that trigger underlying IDE features. Finally, base IDE features are exploited to achieve information leakage or command execution.
Security researcher behind the discovery explained this represents a redefined threat model: “AI IDEs effectively ignored the base IDE software as part of the threat model, assuming it’s inherently safe because it existed for years.
However, once you add AI agents that can act autonomously, the same legacy features can be weaponized.”
Three primary case studies demonstrate the severity of IDEsaster vulnerabilities. Remote JSON Schema attacks affect Visual Studio Code, JetBrains IDEs, and Zed.dev, enabling data exfiltration by automatically triggering GET requests to attacker-controlled domains.
IDE Settings Overwrite vulnerabilities allow remote code execution by manipulating configuration files like .vscode/settings.json or .idea/workspace.xml to execute arbitrary commands.
Multi-Root Workspace Settings in Visual Studio Code provide additional attack surface by allowing manipulation of workspace configurations to bypass security controls.
Mitigations
GitHub Copilot has addressed multiple vulnerabilities including CVE-2025-53773 and CVE-2025-64660.
Cursor received patches for CVE-2025-49150, CVE-2025-54130, and CVE-2025-61590. Other affected products including Kiro.dev and Roo Code have also issued fixes, though some vendors like Claude Code opted to address risks through security warnings in their documentation rather than code changes.
The research introduces a new security principle called “Secure for AI,” extending secure-by-design principles to account for AI components explicitly.
Developers are advised only to use AI IDEs with trusted projects, configure human-in-the-loop verification where supported, and carefully vet MCP servers.
Product maintainers should implement capability-scoped tools, continuously monitor IDE features for attack vectors, assume prompt injection is always possible, and deploy sandboxing and egress controls.
The findings underscore a critical challenge as AI capabilities expand across software development tools: legacy features designed for human users can become dangerous when accessible to autonomous AI agents operating under adversarial influence.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.