A security hole within AI dev tools has allowed attackers to escape sandboxes by misleading the humans in the loop who were supposed to knowingly approve the tool’s actions, according to cybersecurity research firm Wiz.
“We discovered GhostApproval, a systematic vulnerability pattern affecting six of the top AI coding assistants: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf [now known as Devin Desktop],” the Wiz report said. “In each case, a malicious repository can trick the agent into accessing arbitrary files outside the workspace sandbox, potentially achieving remote code execution on the developer’s machine.”
The first report of the hole came earlier this month from Cato Networks, but was limited to one platform, Cursor, whereas Wiz found that its impact was far wider.
The underlying security problem, symbolic links (symlinks), is well known and has been leveraged for decades. But GhostApproval, Wiz noted, goes well beyond their historic use as an attack vector.
Symbolic links are special files that act as shortcuts to other files or directories. In attacks, they typically resolve to a target outside of the intended control sphere, which allows a threat actor to operate on unauthorized files in a less- or uncontrolled environment, outside of a secure sandbox, or even an air-gapped system.
“In several cases,” Wiz noted, “the agent’s internal reasoning explicitly recognizes the dangerous target, yet the confirmation prompt shown to the user conceals this information entirely. This is CWE-451 – UI misrepresentation of critical information – layered on top of the symlink vulnerability. The user approves what they believe is a harmless local edit. The agent then writes to a sensitive file outside of the project workspace.”
Wiz said it reported the issue to the six vendors initially impacted; AWS, Cursor and Google “fixed the issue promptly,” Augment and Windsurf/Devin “acknowledged receipt but went silent,” and Anthropic had already fixed the problem before it was contacted by Wiz.
Potentially massive exposure
But analysts and consultants said the AI dev tool problem that Wiz described illustrates a far greater security risk: enterprises are trusting these tools and the information they report far too much, which is what may give attackers a big opportunity.
Katie Norton, senior research manager for DevSecOps at IDC, noted that the Wiz report pointed out a disturbing fact. “The safety check people rely on to catch these actions doesn’t actually stop anything. That’s a real way for an attacker to break into a developer’s machine,” she said. “The scope is bounded by one condition: the attack requires a developer to clone and operate on an untrusted or malicious repository. That concentrates the risk in workflows touching external contributors, forked repositories, and third-party or open source dependencies, rather than in internally authored code.”
Norton said the exposure from this flaw, along with similar holes in other AI dev tools, is potentially massive. “Since March 2025, security vendors and researchers have disclosed comparable issues in nearly every major AI coding assistant. That pattern: a mitigation ships, then a new bypass of that same mitigation surfaces within months. That is worth watching and reflects how new this category’s threat model still is across the board, it’s not a gap specific to any one vendor’s practices.”
That means, she said, that agentic coding tools need multilayered defense, because the risk isn’t confined to the code an agent generates. “The tools themselves sit within the software supply chain and can be attacked directly. GhostApproval makes that point clearly,” she noted.
“The vulnerability has nothing to do with code quality or insecure output. It’s a flaw in how the agent handles files and represents its own actions to the user, introduced by the tool’s design rather than a bad prompt or a compromised dependency. Failure to account for the coding tools’ own attack surface is what leaves this kind of gap unaddressed.”
Rethink policies and procedures
Noah Kenney, principal consultant at Digital 520, agreed; enterprise CISOs need to potentially rethink many of their AI dev tool policies and procedures.
“The significant part is that the agent’s own reasoning identified the malicious target and the approval dialog hid it anyway. The tool knew it was writing to SSH keys and still asked a human to approve an edit to a config file, giving the human an illusion of control over the model,” Kenney said. “Many considered human in the loop to be the answer to agent risk, but this report shows that the loop can be fed bad information by the very agent it is supposed to be supervising.”
Because of this, Kenney advised adjusting the way tool management is enforced.
“Treat AI coding assistants as privileged software with filesystem access, not as editor plugins. That means patch discipline, version pinning, and knowing which tools in your environment write to disk before authorization,” Kenney said. “Then sandbox the blast radius. These agents should run against trusted repositories in isolated environments where a write to authorized_keys goes nowhere. Do not rely on the tool’s own dialog as your control or governance solution.”
A category-wide design issue
Justin Greis, CEO of consulting firm Acceligence, added that this security hole is a much bigger enterprise security strategy problem than most CISOs realize.
“Six different vendors independently arrived at a very similar trust model. That suggests we’re looking at a category-wide design challenge rather than a collection of isolated implementation bugs. If vulnerabilities like this remained uncorrected, they would represent a meaningful enterprise risk, particularly for organizations that allow AI coding assistants to interact with untrusted repositories or production development environments,” he said.
“The immediate concern isn’t simply remote code execution. It’s that these agents operate with a level of filesystem access, tool access, and developer trust that traditional IDE extensions never had. Once an AI agent becomes an active participant in software development, every trust boundary it crosses becomes part of the organization’s attack surface.”
No Responses