Letsdatascience
GhostApproval Vulnerability in AI Coding Agents Allows Remote Code Execution
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
A vulnerability named 'GhostApproval' was discovered by Wiz, affecting six AI coding assistants, allowing attackers to trick these agents into accessing files outside their designated sandbox. The flaw can lead to remote code execution on developers' machines. Affected tools include Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. Amazon, Cursor, and Google have deemed the flaw critical or high-severity and have issued fixes, while Augment and Windsurf have acknowledged the issue but have not yet patched it. Anthropic dismissed the vulnerability as 'outside our threat model.' The vulnerability exploits symlink-based path escapes, a long-standing security issue in Unix systems. While there is no evidence of active exploitation, the risk remains significant for enterprises using these AI tools.
Key Points: • GhostApproval allows AI coding agents to access unauthorized files, risking remote code execution. • Amazon, Cursor, and Google have issued fixes, while Augment, Windsurf, and Anthropic have not. • The vulnerability exploits classic symlink security issues, highlighting gaps in AI agent sandboxing.