GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents
Summary
Researchers discovered a critical flaw in six popular AI coding assistants, including Amazon Q Developer and Claude Code. The vulnerability, dubbed GhostApproval, allows a malicious repository to trick the AI into overwriting sensitive system files by requesting permission to edit a seemingly innocuous one. This could lead to attackers gaining control of a developer's machine.
IFF Assessment
This vulnerability enables attackers to potentially compromise developer machines through AI coding assistants, posing a significant risk to system security.
Severity
The vulnerability allows for unauthorized code execution and system compromise, with a high potential for impact due to the widespread use of these AI coding tools by developers.
Defender Context
This discovery highlights a new attack vector targeting the growing integration of AI in development workflows. Defenders should monitor for unusual file access requests or system behavior on developer machines using these tools and educate developers about the risks of trusting AI suggestions without verification.