GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents

Summary

Researchers discovered a critical flaw in six popular AI coding assistants, including Amazon Q Developer and Claude Code. The vulnerability, dubbed GhostApproval, allows a malicious repository to trick the AI into overwriting sensitive system files by requesting permission to edit a seemingly innocuous one. This could lead to attackers gaining control of a developer's machine.

IFF Assessment

FOE

This vulnerability enables attackers to potentially compromise developer machines through AI coding assistants, posing a significant risk to system security.

Severity

9.0 Critical (AI Estimated)

The vulnerability allows for unauthorized code execution and system compromise, with a high potential for impact due to the widespread use of these AI coding tools by developers.

Defender Context

This discovery highlights a new attack vector targeting the growing integration of AI in development workflows. Defenders should monitor for unusual file access requests or system behavior on developer machines using these tools and educate developers about the risks of trusting AI suggestions without verification.

Read Full Story →