GhostApproval Symlink Flaw Enables Remote Code Execution via AI Coding Assistants

Thumbnail Image

The information displayed in the AIM should not be reported as representing the official views of the OECD or of its member countries.

Researchers at Wiz discovered a vulnerability, dubbed GhostApproval, affecting six popular AI coding assistants. The flaw allows malicious repositories to exploit symlink handling, tricking AI agents into editing files outside their sandbox, potentially enabling remote code execution and unauthorized access on developers' machines. Some vendors have patched the issue.[AI generated]

Why's our monitor labelling this an incident or hazard?

The article explicitly mentions AI coding assistants, which are AI systems designed to assist in coding tasks. The flaw allows malicious repositories to run code on the developer's machine without proper authorization, which constitutes a direct harm to property and security. Since the AI systems' malfunction (the symlink flaw) directly leads to this harm, this qualifies as an AI Incident under the definition of harm to property caused by AI system malfunction.[AI generated]
AI principles
Robustness & digital securitySafety

Industries
Digital securityIT infrastructure and hosting

Affected stakeholders
WorkersBusiness

Harm types
Economic/PropertyReputationalHuman or fundamental rights

Severity
AI incident

Business function:
Research and development

AI system task:
Content generation


Articles about this incident or hazard