GhostApproval: A Trust Boundary Gap in AI Coding Assistants

Wiz Research introduces GhostApproval, a category-wide vulnerability affecting multiple AI coding assistants, including Amazon Q Developer, Claude Code, Cursor, Google Antigravity, Augment, and Windsurf. The attack exploits symbolic links (CWE-61) to trick AI agents into writing to sensitive files outside the project workspace, while approval dialogs often display only the benign-looking workspace path rather than the actual target (CWE-451: User Interface Misrepresentation of Critical Information). In some cases, the agent internally recognizes the true destination but presents misleading information to the user, undermining the "human-in-the-loop" security model; in Windsurf, writes were observed to occur before user approval. The research recommends resolving canonical paths before prompting users, clearly displaying the real destination of file operations, enforcing workspace boundary validation, and ensuring that no filesystem changes occur until explicit authorization is granted. 

https://www.wiz.io/blog/ghostapproval-a-trust-boundary-gap-in-ai-coding-assistants

Comments

Popular posts from this blog

Prompt Engineering Demands Rigorous Evaluation

SecObserve: Simplified Vulnerability and License Management for CI/CD Pipelines

OWASP ZAP 2.16.0 Introduces Key Updates and Enhancements