The GhostApproval flaw disrupts six leading AI coding agents.
A security firm named Wiz discovered an old Unix exploit that exposes vulnerabilities in six widely-used AI coding assistants, including Amazon Q and Cursor. A compromised repository is capable of bypassing its own safety prompt, resulting in a planted key that grants an attacker access to the developer's machine.
This exploit, referred to as GhostApproval by Wiz, affects six popular AI coding tools, as reported by The Register. It enables a manipulated repository to compel an agent to write files well beyond its designated workspace, potentially allowing the developer's machine to be taken over.
The affected AI assistants are Amazon Q Developer, Claude Code from Anthropic, Augment, Cursor, Google Antigravity, and Windsurf. This method, which has been around for years, exploits symbolic links (symlinks), a longstanding shortcut file that points elsewhere.
How the trap is triggered
An attacker creates a tainted repository containing a symlink disguised as a harmless configuration file, such as project_settings.json, which actually directs to the user's SSH keys. A README file instructs the agent to modify this "config" during its setup process.
When a developer clones the repository and requests the agent to "set up the workspace," the agent follows the README and mistakenly writes an attacker-controlled SSH key into the actual keys file. This grants the attacker unobstructed, password-free access to the machine, resembling a previous vulnerability in Amazon Q's booby-trapped repository.
The confirmation issue
Most of these tools present a confirmation dialog before executing risky actions. However, Wiz discovered that the dialog misrepresented information. The agents realized the symlink pointed to a harmful location but concealed the actual target, displaying only the innocuous file name.
Claude Code had the most problematic response. Its reasoning acknowledged that the file was legitimately a shell configuration. It then prompted the user, “Make this edit to project_settings.json?” Wiz criticized this consent as “substantively empty,” identifying the misleading prompt as a separate flaw in the user interface. This same vulnerability allows attackers to manipulate coding agents and induce them to reveal confidential code.
Responses from companies
Amazon, Cursor, and Google treated it seriously. Amazon released a CVE and updated Q Developer, while Cursor addressed the issue in version 3.0. Google patched Antigravity in May. Augment and Windsurf recognized it as critical but had not provided updates at the time of reporting.
Anthropic countered that the scenario fell “outside our threat model” since the user had placed trust in the directory. Their triage process closed the ticket as “informative.” Subsequently, Anthropic informed Wiz that their fix was already in place before the report; Claude Code's symlink warning was implemented on February 5, nine days before Wiz's filing, as a proactive measure.
Significance of the issue
Organizations entrust these agents with significant access to their code and cloud resources. When safety prompts obscure real dangers, the human-in-the-loop process becomes merely a formality. There is now a divide among vendors and researchers regarding solutions: should users be protected from deceptive repositories, or is that a responsibility of the developer? Nonetheless, one lesson is clear: even new AI technologies can still be vulnerable to the oldest bugs.
Other articles
The GhostApproval flaw disrupts six leading AI coding agents.
Wiz's 'GhostApproval' employs an old symlink method to enable six AI coding agents, including Amazon Q and Cursor, to write beyond the sandbox and transfer control of the box.
