Over 30 Security Flaws in AI IDEs Enable Data Exfiltration and RCE Attacks

Over 30 security vulnerabilities have been disclosed in various AI-powered IDEs that combine prompt injection primitives with legitimate features to achieve data exfiltration and remote code execution

Security researcher Ari Marzouk has identified over 30 vulnerabilities in AI-powered IDEs, with 24 assigned CVE identifiers, enabling data exfiltration and remote code execution through prompt injection and auto-approved tool calls. Attackers can exploit these flaws to bypass AI guardrails and weaponize IDE features like file writes and settings edits.

Why This Matters

AI-powered IDEs assume their features are inherently safe, but this research reveals how prompt injection and auto-approved tool calls can transform legitimate functions into attack vectors. The flaws affect tools like GitHub Copilot, Cursor, and Zed.dev, enabling data leaks and arbitrary code execution without user interaction. The scale of risk is vast: developers using these tools risk exposing sensitive data or compromising systems through misconfigured AI agents.

Key Insights

• “Over 30 security flaws in AI IDEs, 2025”: Researchers uncovered vulnerabilities across Cursor, GitHub Copilot, Zed.dev, and others, with 24 CVEs assigned.
• “Prompt injection combined with auto-approved tool calls”: Attackers exploit AI agents’ ability to bypass guardrails and trigger IDE features like file writes or setting edits.
• “GitHub Copilot used by developers, but vulnerable to prompt injection attacks”: Despite its popularity, Copilot is affected by flaws allowing data exfiltration and code execution.

Practical Applications

• Use Case: AI IDEs like GitHub Copilot used for code suggestions, but vulnerable to data exfiltration via prompt injection.
• Pitfall: Auto-approving file writes in AI IDEs allows attackers to inject malicious workspace settings, leading to arbitrary code execution.

References:

• https://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.html