AI Sec Watch

A security flaw in Cursor AI could allow attackers to gain shell access (the ability to run commands on a computer) by combining three techniques: indirect prompt injection (hiding malicious instructions in data that the AI reads rather than typing them directly), a sandbox bypass (escaping the restricted environment meant to contain the AI), and Cursor's remote tunnel feature (which allows access to machines over the internet). This chain of attacks could expose developer devices to unauthorized access.

The UK government is investing £500 million in British AI startups and urging the country to embrace AI technology, despite recent concerns about cybersecurity risks and job displacement. Technology secretary Liz Kendall acknowledged public worries but argued that the UK must pursue AI opportunities to create jobs and address global challenges, citing concerns raised when US startup Anthropic revealed an AI model with potential cybersecurity vulnerabilities.

A vulnerability in `langchain-openai` (a library for connecting to OpenAI's API) allowed attackers to bypass SSRF protection (server-side request forgery, where an attacker tricks a server into making requests it shouldn't) through DNS rebinding (changing what a domain name points to between two lookups). The flaw was in the image token counting feature, which validated URLs in one step and then fetched them in another, giving attackers a window to redirect requests to private networks. The actual risk is limited because stolen data cannot be extracted, though attackers could probe whether internal services exist.

A function in LangChain called `HTMLHeaderTextSplitter.split_text_from_url()` had a security flaw where it checked if a URL was safe initially, but then allowed HTTP redirects (automatic follow-ups to different URLs) without rechecking them. This meant an attacker could provide a safe-looking URL that secretly redirects to internal servers or sensitive cloud services, potentially leaking private data. The vulnerability affects versions of langchain-text-splitters before 1.1.2.

Paperclip, an agent management system, has a critical authorization bypass vulnerability where three API endpoints for managing agent API keys (`POST /api/agents/:id/keys`, `GET /api/agents/:id/keys`, and `DELETE /api/agents/:id/keys/:keyId`) only verify that a user is logged in, but fail to check if they belong to the company that owns the target agent. This allows any authenticated user to create plaintext API tokens for agents in other companies, effectively bypassing the multi-tenant security boundary (the separation that prevents one company's data from being accessed by another).

A Paperclip-managed `codex_local` runtime (a local code execution environment) could access and use a Gmail connector that was only connected in the ChatGPT/OpenAI apps UI, not explicitly set up in Paperclip itself. This trust-boundary failure (a security gap between two systems that should be isolated) allowed the runtime to read emails and send real emails from the user's Gmail account without permission. The vulnerability was made worse because `codex_local` defaults `dangerouslyBypassApprovalsAndSandbox` to `true`, meaning approval checks and execution restrictions are disabled by default.

Paperclip, an AI agent platform, has a critical vulnerability where malicious skills can execute arbitrary shell commands on the server through an unsanitized `runtimeConfig` parameter, allowing attackers to steal sensitive credentials like API keys, database passwords, and authentication secrets stored in environment variables.

AI agent tools that use Model Context Protocol (MCP, a method for applications to expose data and tools to AI systems) over STDIO (a local communication method) have unsafe default settings that allow remote code execution, where attackers can run commands on systems they don't own. Anthropic and other framework developers argue that client application developers are responsible for filtering malicious commands, but researchers found that most developers either don't filter these commands or fail to catch all bypass techniques, leaving thousands of public servers and commercial systems vulnerable.

NIST (the National Institute of Standards and Technology, a U.S. agency that maintains a database of known security vulnerabilities) has announced it can no longer analyze all reported security flaws due to overwhelming volume, so it will focus only on the most critical ones. Starting immediately, NIST will prioritize enrichment (adding detailed analysis and severity ratings) for vulnerabilities listed in CISA's Known Exploited Vulnerabilities catalog and those affecting federal government software, while all other CVEs (common vulnerabilities and exposures, a standard way of naming security flaws) will be added to the database but marked as "not scheduled" for analysis. The backlog has grown to over 30,000 unanalyzed vulnerabilities, driven partly by AI tools that can now automatically discover both real and false security flaws at unprecedented rates.