GhostApproval: Symlink Vulnerability Exposes 6 Major AI Coding Assistants to Sandbox Escape
Key Takeaways
- ▸Symlink following (CWE-61) allows malicious repositories to trick AI agents into reading/writing files outside the workspace sandbox
- ▸In several cases, agents recognize the danger internally but display misleading confirmation prompts to users (CWE-451), breaking the human-in-the-loop safety model
- ▸All 6 tested vendors were vulnerable; AWS, Cursor, and Google have patched; 2 went silent, 1 rejected the report
Summary
Security researchers have discovered GhostApproval, a systematic vulnerability pattern affecting 6 of the top AI coding assistants: Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. The vulnerability exploits symbolic links (CWE-61)—a decades-old Unix security issue—to trick AI agents into accessing arbitrary files outside their workspace sandbox, potentially enabling remote code execution on a developer's machine.
The attack is deceptively simple: a malicious repository contains a symlink disguised as an innocuous config file (e.g., project_settings.json → ~/.ssh/authorized_keys). When the AI agent is instructed to modify that file, it follows the symlink and writes to the sensitive target location. What makes GhostApproval particularly insidious is that in several cases, the agent's internal reasoning explicitly recognizes the dangerous target—yet the confirmation prompt shown to the user conceals this information entirely. This layered vulnerability (CWE-451: UI misrepresentation of critical information) means developers unwittingly approve actions they believe are harmless.
Three vendors responded swiftly: AWS, Cursor, and Google patched the issue. However, two vendors acknowledged receipt but went silent, while one provider rejected the finding as "outside our threat model." The researchers stress that this isn't a single vendor's mistake but a category-level blind spot affecting how AI coding assistants were architected—a critical gap for tools designed with a Human-in-the-Loop safety model.
- The vulnerability represents a category-level architectural blind spot in AI coding assistants, not isolated vendor errors
- Responsible disclosure revealed that rapid market shipping may have prioritized features over canonical path resolution and sandbox validation
Editorial Opinion
This disclosure exposes a critical gap between the marketed safety model of AI coding assistants ("you approve before any file is modified") and their actual behavior. When an agent's reasoning recognizes danger but the UI deceives the user, the human-in-the-loop becomes a rubber stamp. The fact that this affects multiple vendors simultaneously suggests the industry may have underinvested in path sanitization and canonical resolution—basics that should be enforced at the agent's file operation layer, not emergent from luck.



