By The tools developers trust to write secure code are themselves security liabilities. Security researcher Ari Marzouk has uncovered over 30 vulnerabilities collectively named “IDEsaster” affecting every major AI coding tool on the market—including Cursor, Windsurf, GitHub Copilot, and Claude Code. With 24 CVEs assigned and critical command injection flaws discovered, 100% of tested AI IDEs were found vulnerable to data theft and remote code execution attacks. Millions of developers using these AI coding tools daily are at risk of having their credentials, source code, and API keys stolen—all through legitimate IDE features weaponized by AI agents.
Every AI Coding Tool Tested Was Vulnerable
This isn’t a few isolated bugs in AI coding tools. After a six-month investigation, Marzouk discovered 30+ vulnerabilities across 10+ major AI coding platforms: Cursor, Windsurf, GitHub Copilot, Zed.dev, Roo Code, JetBrains Junie, Kiro.dev, Claude Code, Cline, and OpenAI Codex CLI. Twenty-four of these vulnerabilities have been assigned official CVE identifiers. The vulnerability rate? 100%.
The irony is staggering. An industry built on improving code quality and developer productivity has rushed AI coding tools to market with critical security flaws. And this isn’t happening in a vacuum—84% of developers now use or plan to use AI coding assistants, with 51% using them daily. Forty-one percent of all code written in 2025 is AI-generated or AI-assisted. The attack surface is massive and growing.
Marzouk’s core insight cuts to the heart of the problem: “All AI IDEs effectively ignore the base software in their threat model. They treat features as inherently safe because they’ve existed for years. However, autonomous AI agents weaponize these same features.”
Weaponizing Legitimate IDE Features
IDEsaster attacks follow a three-vector chain. First, attackers bypass LLM guardrails via prompt injection—planting hidden instructions in repository files like READMEs, .cursorrules, or even filenames. Second, AI agents autonomously follow these injected instructions through auto-approved tool calls. Third, the AI activates legitimate IDE features—file reading, file writing, settings editing—to exfiltrate data or execute malicious code.
What makes this dangerous is the stealth. These attacks use only legitimate IDE functionality, so they bypass traditional security tools. And because AI agents act autonomously, no user interaction is required.
Consider the data exfiltration vector, which affects six tools including Cursor (CVE-2025-49150), Roo Code (CVE-2025-53097), and JetBrains Junie (CVE-2025-58335). The AI reads sensitive files like .env files or API keys, writes a JSON file containing that data, and then leaks it through a remote schema validation request to an attacker-controlled server. To the user, everything looks normal. To the attacker, credentials are flowing freely.
Or take the RCE vector, affecting GitHub Copilot (CVE-2025-53773), Cursor (CVE-2025-54130), Roo Code (CVE-2025-53536), and Zed.dev (CVE-2025-55012). The AI modifies IDE settings files to redirect executable paths—linters, formatters, test runners—to malicious code. Next time the IDE runs one of these commands, the attacker achieves full system compromise.
OpenAI’s Codex CLI has its own command injection vulnerability (CVE-2025-61260), where tampering with .env and config.toml files allows arbitrary command execution at startup, no user permission required.
As Marzouk puts it: “However, once you add AI agents that can act autonomously, the same features can be weaponized into data exfiltration and RCE primitives.”
Compounding an Existing Crisis of Trust in AI Coding Tools
IDEsaster doesn’t exist in isolation—it compounds a trust crisis already underway with AI coding tools. Trust in AI accuracy has collapsed from 40% in 2024 to just 29% in 2025. Positive favorability toward AI tools dropped from 72% to 60% over the same period. Stack Overflow’s 2025 developer survey captured the mood perfectly: “Developers remain willing but reluctant to use AI.”
The security track record was already shaky. GitHub Copilot has been shown to leak secrets from its training data. Its code review capabilities frequently miss critical vulnerabilities like SQL injection, XSS, and insecure deserialization, focusing instead on low-severity issues like coding style and typos. Gartner identified vulnerable output and data leakage as top risks for AI coding assistants even before IDEsaster.
The paradox is brutal. Developers adopt these tools for productivity gains—vendors claim 30-75% time savings, and GitHub Copilot users reportedly complete 126% more projects per week. But if those projects ship with stolen credentials, injected backdoors, or compromised systems, what’s the real productivity delta?
The rush to capture a slice of the $7.37 billion AI coding tools market (projected to hit $23.97 billion by 2030) has led vendors to prioritize features over security. Economic incentives reward speed to market, not security rigor. And developers are paying the price.
What Developers Must Do Now
If you’re using GitHub Copilot or Cursor, update immediately—both have patched some of the disclosed CVEs. Audit your projects for suspicious content in .cursorrules files, READMEs, and configuration files. Review any installed MCP servers, which security advisories now warn should be “treated like untrusted third-party code—because that’s exactly what they are.”
Going forward, treat AI coding tools with the same security scrutiny you’d apply to any third-party dependency. Use them only with trusted projects. Enable human-in-the-loop verification where supported. Apply the principle of least privilege to AI agent permissions. And critically—security review all AI-generated code, not just for quality, but for injected vulnerabilities.
Industry-wide, we need security standards for AI coding tools, independent security audits before launch, and a shift from “trust by default” to “verify, then trust.” Regulatory scrutiny is likely coming, especially in enterprise and government sectors.
The bottom line is stark: The AI coding tool gold rush is accumulating real security debt. If 100% of tested AI IDEs were vulnerable, how many undiscovered vulnerabilities remain? The tools helping you code faster might be compromising your systems—and you’d never know until it’s too late.
