AI IDEsaster: 30+ Vulnerabilities Expose Developer Environments to Prompt Injection & RCE (2025)
Executive Summary
In December 2025, over 30 serious security flaws—collectively named "IDEsaster"—were uncovered in popular AI-powered Integrated Development Environments (IDEs) by researcher Ari Marzouk (MaccariTA). Exploiting these vulnerabilities, attackers could inject malicious prompts, leading to unauthorized data exfiltration and remote code execution within developer environments. The flaws stemmed from unsafe integrations of AI features, including insufficient sandboxing and lack of network traffic controls, exposing sensitive code and credentials to threat actors. Notably, vulnerabilities allowed for lateral movement and direct access to code repositories, risking business continuity and intellectual property.
This incident is especially significant as AI adoption in coding workflows accelerates, creating new attack vectors. The surge in prompt injection and AI supply chain threats, paired with evolving attacker tactics targeting developer tools, highlights the urgent need for organizations to strengthen segmentation, monitoring, and AI risk governance.
Why This Matters Now
As AI development tools become more embedded in enterprise workflows, attackers are increasingly targeting these environments with sophisticated prompt injection and AI supply chain exploits. Rapid integration without robust segmentation or traffic controls amplifies the risk of data theft and system compromise, creating an urgent need for organizations to reassess their security in the context of AI-driven workflows.
Attack Path Analysis
Attackers exploited prompt injection and insecure features in AI-powered IDEs for initial access. Upon establishing a foothold, they leveraged vulnerabilities to escalate privileges on affected systems. Adversaries moved laterally within internal cloud or hybrid environments using compromised credentials or abused AI IDE services. They established command and control via outbound connections, bypassing inadequate egress controls and detection. Sensitive source code and other data were quietly exfiltrated over network channels. This culminated in remote code execution, possible deployment of ransomware, or further business disruption within compromised environments.
Kill Chain Progression
Initial Compromise
Description
Exploitation of prompt injection and insecure integration in AI-powered IDEs granted attackers initial access to developer environments.
Related CVEs
CVE-2025-54135
CVSS 8.6A prompt injection vulnerability in Cursor's Model Context Protocol (MCP) allows remote code execution without user approval.
Affected Products:
Cursor Cursor AI Code Editor – < 1.3.9
Exploit Status:
proof of conceptCVE-2025-53773
CVSS 7.8A prompt injection vulnerability in GitHub Copilot allows remote code execution by modifying IDE settings to execute malicious code.
Affected Products:
GitHub Copilot – < 1.0.0
Exploit Status:
proof of conceptCVE-2025-49150
CVSS 7.5A prompt injection vulnerability in Cursor allows data exfiltration through malicious JSON schema validation requests.
Affected Products:
Cursor Cursor AI Code Editor – < 1.3.9
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Command and Scripting Interpreter
User Execution
Phishing
Automated Exfiltration
Exploitation of Remote Services
Access Token Manipulation
Stage Capabilities
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Vulnerability Identification and Risk Ranking
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 8
CISA ZTMM 2.0 – Application Security—Secure Coding Practices
Control ID: SP-5
NIS2 Directive – Technical and Organisational Measures
Control ID: Article 21(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
AI-powered IDE vulnerabilities enable prompt injection attacks against development environments, compromising source code integrity and enabling remote code execution in software development workflows.
Financial Services
IDEsaster vulnerabilities in AI coding tools threaten proprietary financial algorithms and customer data through code injection, violating PCI and regulatory compliance requirements.
Health Care / Life Sciences
AI IDE security flaws risk patient data exfiltration and HIPAA violations through compromised healthcare software development environments and medical device code integrity.
Information Technology/IT
Widespread AI IDE vulnerabilities expose IT infrastructure code repositories to data theft and remote exploitation, undermining zero trust segmentation and threat detection capabilities.
Sources
- Researcher Uncovers 30+ Flaws in AI Coding Tools Enabling Data Theft and RCE Attackshttps://thehackernews.com/2025/12/researchers-uncover-30-flaws-in-ai.htmlVerified
- Prompt Injection to Code Execution: Cursor Code Editor Hit by Critical MCP Vulnerabilities (CVE-2025-54135 & CVE-2025-54136)https://securityonline.info/prompt-injection-to-code-execution-cursor-code-editor-hit-by-critical-mcp-vulnerabilities-cve-2025-54135-cve-2025-54136/Verified
- Several Vulnerabilities Patched in AI Code Editor Cursorhttps://www.securityweek.com/several-vulnerabilities-patched-in-ai-code-editor-cursor/Verified
- IDEsaster: 30+ CVEs Hit Cursor, GitHub Copilot, All AI IDEshttps://byteiota.com/idesaster-30-cves-hit-cursor-github-copilot-all-ai-ides/Verified
- Prompt Injection Attacks in Large Language Models and AI Agent Systems: A Comprehensive Review of Vulnerabilities, Attack Vectors, and Defense Mechanismshttps://www.mdpi.com/2078-2489/17/1/54Verified
- AI Coding Tools Have 30+ Security Flaws: Data Theft Riskhttps://byteiota.com/ai-coding-tools-have-30-security-flaws-data-theft-risk/Verified
- IDEsaster: Why 100% of AI Coding Tools Have Critical Security Flaws (And What You Must Do Now)https://vibecodedirectory.beehiiv.com/p/idesaster-why-100-of-ai-coding-tools-have-critical-security-flaws-and-what-you-must-do-nowVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust principles with CNSF controls such as segmentation, east-west monitoring, strict egress policy enforcement, and encrypted traffic would have constrained attack paths, limited movement, and detected or blocked exfiltration and remote code execution attempts.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: Initial exploit attempts are detected and blocked at the network layer.
Control: Zero Trust Segmentation
Mitigation: Role-based access barriers restrict privilege escalation paths.
Control: East-West Traffic Security
Mitigation: Internal lateral movement is prevented and anomalous flows trigger alerts.
Control: Egress Security & Policy Enforcement
Mitigation: Known and unknown C2 and suspicious outbound connections are identified and blocked.
Control: Encrypted Traffic (HPE) and Cloud Firewall (ACF)
Mitigation: Data exfiltration is detected and prevented via encrypted, monitored gateways.
Ransomware and suspicious runtime behavior are detected in real-time.
Impact at a Glance
Affected Business Functions
- Software Development
- Code Review
- Continuous Integration/Continuous Deployment (CI/CD)
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of sensitive source code, API keys, and developer credentials due to data exfiltration vulnerabilities in AI-powered IDEs.
Recommended Actions
Key Takeaways & Next Steps
- • Enforce strict zero trust segmentation and least-privilege access across all development and AI tooling environments.
- • Implement continuous east-west traffic monitoring and policy to prevent lateral movement, especially within hybrid and containerized workloads.
- • Apply comprehensive egress filtering and firewall controls to restrict unauthorized outbound and C2 connections from IDE and workload clusters.
- • Ensure all sensitive network traffic—especially between cloud, hosted IDEs, and SaaS—is encrypted at line rate using validated high-performance solutions.
- • Augment threat detection capabilities with anomaly response and baselining to promptly surface and contain new attack patterns or emerging AI-enabled threats.
