AI Sec Watch

Claude Code is an agentic coding tool (software that can automatically write and execute code). In versions before 1.0.20, a flaw in how the tool parses commands allows attackers to skip the confirmation prompt that normally protects users before running untrusted code. Exploiting this requires the attacker to insert malicious content into Claude Code's input.

Claude Code, an agentic coding tool (software that can write and modify code automatically), has a path validation flaw in versions before 0.2.111 that allows attackers to bypass directory restrictions and access files outside the intended working directory. The vulnerability exploits prefix matching (checking if one string starts with another) instead of properly comparing full file paths, and requires the attacker to create a directory with the same prefix name and inject untrusted content into the tool's context.

Cursor, a code editor designed for AI-assisted programming, has a vulnerability in versions below 1.3.9 where it can write files in a workspace without asking the user for permission. An attacker can exploit this by using prompt injection (tricking the AI by hiding instructions in its input) to create sensitive configuration files like .cursor/mcp.json, potentially gaining RCE (remote code execution, where an attacker can run commands on a system they don't own) on the victim's computer without approval.

Cursor, a code editor designed for AI-assisted programming, has a vulnerability in versions before 1.3.9 where it can write files to a workspace without asking the user for permission. An attacker can exploit this by using prompt injection (tricking the AI by hiding instructions in its input) combined with this flaw to modify editor configuration files and achieve RCE (remote code execution, where an attacker can run commands on a system they don't own) without the user's knowledge.

Differential privacy (DP, a mathematical technique that adds controlled randomness to data to protect individual privacy while keeping data useful) is a widely-used method for protecting sensitive information, but putting it into practice in real-world systems has proven difficult. Researchers analyzed 21 actual deployments of differential privacy by major companies and institutions over the last ten years to understand what works and what doesn't.

Cursor IDE (an AI-powered code editor) has a vulnerability where it can render Mermaid diagrams (a tool for creating flowcharts and diagrams from simple text) that include external image requests without user confirmation. An attacker can use prompt injection (tricking the AI by hiding malicious instructions in code comments or other inputs) to embed image URLs in these diagrams, allowing them to steal sensitive data like API keys or user memories by encoding that information in the URL sent to an attacker-controlled server.

Anthropic's filesystem MCP server (a tool that lets AI assistants like Claude access your computer's files) had a path validation vulnerability where it only checked if a file path started with an allowed directory name, rather than confirming it was actually in that directory. This meant if you allowed access to /mnt/finance/data, the AI could also access sibling files like /mnt/finance/data-archived because the path string starts the same way.

ChatGPT Codex, a cloud-based AI tool that answers code questions and writes software, is vulnerable to prompt injection (tricking an AI by hiding instructions in its input) attacks that can turn it into a botnet (a network of compromised computers controlled remotely). An attacker can exploit the "Common Dependencies Allowlist" feature, which allows Codex internet access to certain approved servers, by hosting malicious code on Azure and injecting fake instructions into GitHub issues to hijack Codex and steal sensitive data or run malware.

1Panel is a web management tool that controls websites, files, containers (isolated software environments), databases, and AI models on Linux servers. In versions 2.0.5 and earlier, the tool's HTTPS connection (encrypted communication) between its core system and agent components doesn't fully verify certificates (digital identification documents), allowing attackers to gain unauthorized access and execute arbitrary commands on the server.