The GhostApproval flaw disrupts six leading AI coding agents.

The GhostApproval flaw disrupts six leading AI coding agents.

      A security firm named Wiz discovered an old Unix exploit that exposes vulnerabilities in six widely-used AI coding assistants, including Amazon Q and Cursor. A compromised repository is capable of bypassing its own safety prompt, resulting in a planted key that grants an attacker access to the developer's machine.

      This exploit, referred to as GhostApproval by Wiz, affects six popular AI coding tools, as reported by The Register. It enables a manipulated repository to compel an agent to write files well beyond its designated workspace, potentially allowing the developer's machine to be taken over.

      The affected AI assistants are Amazon Q Developer, Claude Code from Anthropic, Augment, Cursor, Google Antigravity, and Windsurf. This method, which has been around for years, exploits symbolic links (symlinks), a longstanding shortcut file that points elsewhere.

      How the trap is triggered

      An attacker creates a tainted repository containing a symlink disguised as a harmless configuration file, such as project_settings.json, which actually directs to the user's SSH keys. A README file instructs the agent to modify this "config" during its setup process.

      When a developer clones the repository and requests the agent to "set up the workspace," the agent follows the README and mistakenly writes an attacker-controlled SSH key into the actual keys file. This grants the attacker unobstructed, password-free access to the machine, resembling a previous vulnerability in Amazon Q's booby-trapped repository.

      The confirmation issue

      Most of these tools present a confirmation dialog before executing risky actions. However, Wiz discovered that the dialog misrepresented information. The agents realized the symlink pointed to a harmful location but concealed the actual target, displaying only the innocuous file name.

      Claude Code had the most problematic response. Its reasoning acknowledged that the file was legitimately a shell configuration. It then prompted the user, “Make this edit to project_settings.json?” Wiz criticized this consent as “substantively empty,” identifying the misleading prompt as a separate flaw in the user interface. This same vulnerability allows attackers to manipulate coding agents and induce them to reveal confidential code.

      Responses from companies

      Amazon, Cursor, and Google treated it seriously. Amazon released a CVE and updated Q Developer, while Cursor addressed the issue in version 3.0. Google patched Antigravity in May. Augment and Windsurf recognized it as critical but had not provided updates at the time of reporting.

      Anthropic countered that the scenario fell “outside our threat model” since the user had placed trust in the directory. Their triage process closed the ticket as “informative.” Subsequently, Anthropic informed Wiz that their fix was already in place before the report; Claude Code's symlink warning was implemented on February 5, nine days before Wiz's filing, as a proactive measure.

      Significance of the issue

      Organizations entrust these agents with significant access to their code and cloud resources. When safety prompts obscure real dangers, the human-in-the-loop process becomes merely a formality. There is now a divide among vendors and researchers regarding solutions: should users be protected from deceptive repositories, or is that a responsibility of the developer? Nonetheless, one lesson is clear: even new AI technologies can still be vulnerable to the oldest bugs.

Other articles

Only 6% of managers in the UK believe that Gen Z is prepared for the workforce. Only 6% of managers in the UK believe that Gen Z is prepared for the workforce. A CMI report reveals that 45% of UK Gen Z believe they are prepared for the workforce, while only 6% of managers concur. Furthermore, 82% of these managers were promoted without any training. Merely 6% of managers in the UK believe that Gen Z is prepared for the workforce. Merely 6% of managers in the UK believe that Gen Z is prepared for the workforce. A CMI report reveals that 45% of Gen Z in the UK believe they are prepared for the workplace, yet only 6% of managers concur with this assessment. Additionally, 82% of these managers were promoted without receiving any training. Cloudflare and OpenAI are collaborating on a pilot project to enhance the freshness of AI search results. Cloudflare and OpenAI are collaborating on a pilot project to enhance the freshness of AI search results. Cloudflare is collaborating with OpenAI to integrate real-time network signals into ChatGPT's search, marking a shift for a company that was established to prevent AI crawlers. ZML's complimentary AI server operates on all major chipsets. ZML's complimentary AI server operates on all major chipsets. France's ZML has launched ZML/LLMD, a free inference server that operates open-source AI at high speed on Nvidia, AMD, Google, Intel, and Apple processors. OpenAI's GPT-Live: A ChatGPT voice that both listens and speaks. OpenAI has introduced GPT-Live, a voice feature for ChatGPT that allows for simultaneous listening and speaking, complete with live translation. This feature is being made available to all users, including those using the free version. Cloudflare and OpenAI are collaborating on a pilot project to enhance the freshness of AI search results. Cloudflare and OpenAI are collaborating on a pilot project to enhance the freshness of AI search results. Cloudflare is collaborating with OpenAI to integrate real-time network signals into ChatGPT's search, marking a shift for a company that was founded on preventing AI crawlers.

The GhostApproval flaw disrupts six leading AI coding agents.

Wiz's 'GhostApproval' employs an old symlink method to enable six AI coding agents, including Amazon Q and Cursor, to write beyond the sandbox and transfer control of the box.