GhostApproval Flaw Featuring Decades-Old Feature Found in Six AI Coding Tools

A security flaw found in six popular AI coding agents can let attackers abuse a decades-old feature in Unix to trick an AI agent into giving them control of a developer’s system.

Researchers with Google-owned Wiz said the vulnerability, dubbed “GhostApproval,” relies on symbolic links – or symlinks – a file system feature that has been a security problem for years and one in which a file path secretly points to another. Writing to the symlink actually means writing to the target rather than the actual intended file.

Wiz found that the same technique – which over the years has been exploited in race conditions, package managers, and container escapes – also works with coding agents, in particular Anthropic Claude Code, Amazon Q Developer, Google Antigravity, Augment, Cursor, and Windsurf.

A malicious repository created by a threat actor can trick a coding agent into writing to malicious files on a developer’s machine or to give attackers remote code execution (RCE) capabilities.

“Any time a tool writes to a user-controlled path without resolving it first, symlinks become a weapon,” Wiz security researcher Maor Dokhanian wrote in a report. “Would AI agents, with their ability to read and write files autonomously, fall for the same trick? We were surprised when it worked. The agent happily followed a symlink pointing outside the workspace and wrote to the target file. No warning, no path resolution, no sandbox enforcement.”

A Wiz-built proof-of-concept (PoC) proved it out, Dokhanian wrote.

Targeting AI Coding Assistants

The vendor’s findings come more than a month after researchers with Adversa AI, which offers a platform that provides continuous AI red teaming, wrote about the flaw, which they termed “SymJacking.”

The vendor similarly built a PoC and came away with similar findings, finding the technique worked against Claude Code, Gemini CLI/Antigravity CLI, Cursor Agent CLI, GitHub Copilot CLI, Grok Build, and OpenAI Codex CLI.

“We found that a booby-trapped code repository can take over a developer’s workstation through their AI coding assistant, with the developer approving only what appears to be a harmless video file copy,” wrote Rony Utevsky, security research engineer with Adversa AI. “We call this class of attack SymJack, for the symlink hijack at its core: the developer approves what the prompt shows, the kernel writes somewhere else.”

Both illustrate the ongoing security issues that come with AI coding assistants. They are given wide access to privileged and sensitive information but often can’t discern between trusted instructions and untrusted data. Given the rapidly expanding use of coding agents – a report by CodeSignal found that 81% of developers surveyed are using them, with 49% doing so every day – it opens organizations up to indirect prompt injections and other such threats.

‘A Category-Level Blind Spot’

According to Wiz’s Dokhanian, the fact that the GhostApproval technique worked on six major AI coding assistants showed that “this wasn’t about one vendor’s mistake. It was a category-level blind spot across AI coding tools.”

In their PoC, Wiz researchers created a malicious repository. When the victim clones the repository and asks the coding tool to create a workspace or follow a README, the agent takes in the instructions and writes the attacker’s SSH public key to the victim’s authorized key. This can occur quickly enough that it’s done before the user is asked for confirmation.

When that’s done, the bad actor has persistent SSH access to the developer’s computer.

Cracks in the Defenses

A key problem is that many of the coding agents have sandboxes or confirmation dialogs aimed at preventing such an attack, creating a human-in-the-loop environment in which the user is asked for permission before the agent acts. However, the UI doesn’t always show the true target.

In addition, in testing Claude Code, the agent itself can detect the malicious file, but the confirmation prompt simply asks, “Make this edit to project_settings.json?”

“The agent knew,” Dokhanian wrote. “The user didn’t. This transforms a sandbox bypass into an informed consent bypass – the user approves what they believe is a harmless local edit, while the agent modifies” the malicious file.

Anthropic Balks

Wiz reported its findings to all six vendors, with Amazon Web Services, Cursor, and Google fixing the issue. Two others, Augment and Windsurf, have fixes in the works. Anthropic initially rejected the finding, writing that it “falls outside of our current threat model,” noting that with Claude Code, the user must confirm their trust in the directory before starting the session.

That said, current Claude Code versions now warn users before writing to sensitive files, Dokhanian wrote. In a subsequent note to Wiz, Anthropic said the symlink warning shipped in v2.1.32 in February, several days before Wiz submitted its report to the vendor, and was done based on an internal review.

A Matter of Trust

He added that it becomes an issue of design philosophy, with the question being whether the tool should protect users from deceptive workspaces, or is it up to the user to recognize the malicious workspace.

“The Human-in-the-Loop security model only works if the loop provides accurate information,” Dokhanian wrote. “When an agent shows one thing and does another, user approval becomes meaningless. The confirmation dialog transforms from a security control into a formality.”

He called it a “category-level design question” that the AI coding industry hasn’t adequately addressed, which is a concern given how vendors are competing to get their tools with expanding autonomous capabilities to developers.

“The trust boundaries between user, agent, and filesystem need clearer definition,” he said.

Read More

Scroll to Top