AI Vendors Downplay Security Flaws in Popular Tools

Severity: High (Score: 61.5)

Sources: Theregister

Summary

Recent research revealed significant vulnerabilities in three AI agents used with GitHub Actions: Anthropic's Claude Code Security Review, Google's Gemini CLI Action, and Microsoft's GitHub Copilot. These vulnerabilities allow attackers to hijack the agents and steal API keys and access tokens. Despite the critical nature of these flaws, none of the vendors assigned CVEs or issued public security advisories. Anthropic's Model Context Protocol (MCP) was also found to have a design flaw that could compromise up to 200,000 servers. The company has refused to patch the root issue, claiming it is expected behavior. The lack of federal regulations on AI security further complicates the situation, leaving developers and companies vulnerable. The overall impact could affect millions of users relying on these AI tools for development. Key Points: • Three AI agents have critical vulnerabilities allowing API key theft. • Anthropic's MCP design flaw risks 200,000 servers but won't be patched. • No CVEs or public advisories issued by the vendors for these issues.

Key Entities

• Anthropic (company)
• Claude (tool)
• GitHub Actions (tool)
• GitHub Copilot (tool)
• Claude Code Security Review (platform)
• Gemini CLI Action (platform)