What Happened
In early 2025, Wiz security researchers disclosed GhostApproval, a vulnerability affecting six major AI coding assistants: Amazon Q Developer, Google Antigravity, Cursor, Codeium, JetBrains AI Assistant, and Tabnine. The flaw allowed attackers to escape sandbox protections by manipulating symbolic links and exploiting UI misrepresentation (CWE-451). Attackers could trick users into approving malicious actions that appeared legitimate in the tool's interface, bypassing the "human in the loop" safety mechanism these tools rely on.
AWS, Cursor, and Google patched the issue immediately after notification. The response timelines for the remaining vendors weren't disclosed.
Timeline
Discovery phase: Wiz researchers found that AI coding assistants handle symbolic links inconsistently, allowing references to files outside intended sandboxes.
Exploitation vector: Attackers could craft prompts that caused the AI to create or modify files through symlinks while displaying sanitized paths in the approval UI. Users reviewing the proposed changes saw benign file paths, not the actual targets.
Disclosure: Wiz notified all six affected vendors.
Remediation: Three vendors (AWS, Cursor, Google) deployed fixes promptly. The status of the remaining three vendors wasn't confirmed at the time of disclosure.
Which Controls Failed or Were Missing
Inadequate input validation: The tools didn't properly validate or sanitize symbolic link references before processing file operations. Symlink vulnerabilities have been documented for decades.
UI misrepresentation (CWE-451): The approval interfaces displayed sanitized or relative paths instead of resolved absolute paths. Users couldn't see where files would actually be written or modified, hiding the real scope of operations from the person making the approval decision.
Insufficient sandboxing: The sandbox implementations didn't restrict symbolic link traversal. A proper sandbox should either block symlinks entirely or resolve them and enforce boundaries on the resolved path, not the link itself.
No privilege separation: These tools run with the user's full filesystem permissions. There's no separate execution context with reduced privileges for AI-generated operations.
Missing pre-execution analysis: The tools didn't analyze proposed operations for suspicious patterns (writing to system directories, following links outside project boundaries, modifying executable files) before presenting them for approval.
What the Relevant Standards Require
PCI DSS v4.0.1 Requirement 6.4.3 mandates that custom software be reviewed prior to release to identify and correct coding vulnerabilities. For organizations processing payment data, AI coding assistants that generate or modify code fall under this requirement. You can't assume AI-generated code is safe just because a human clicked "approve."
OWASP ASVS v4.0.3, Section 5.2.8 requires applications to validate that file paths don't contain symbolic links to unauthorized locations. The AI tools themselves are applications, and they're handling file operations. This requirement applies.
ISO/IEC 27001:2022 Control 8.22 (segregation of networks) and Control 8.23 (web filtering) address isolation of development environments. If you're running AI coding tools with production access, you're violating the principle. These tools should operate in isolated development environments with no path to production systems.
NIST 800-53 Rev 5, AC-6 (Least Privilege) requires that processes execute with the minimum privileges necessary. AI coding assistants running with full user privileges violate this control. Katie Norton from Wiz noted that these tools represent a significant expansion of attack surface for enterprises, precisely because they operate with excessive privilege.
Lessons and Action Items for Your Team
Stop treating AI tools like productivity software. They're privileged applications that execute code and modify files based on external input (prompts, training data, context). Apply the same security rigor you'd apply to a CI/CD pipeline or infrastructure-as-code tool.
Implement path validation before any file operation:
- Resolve all symbolic links to absolute paths.
- Check that resolved paths fall within allowed directories.
- Display resolved paths in approval UIs, not the original references.
- Block operations that target system directories, configuration files, or executables unless explicitly required.
Run AI assistants in restricted contexts:
- Use separate service accounts with minimal filesystem permissions.
- Implement mandatory access controls (SELinux, AppArmor) to constrain what these tools can access.
- Consider containerized development environments where the AI tool has no access to the host filesystem.
Add pre-approval scanning:
- Before showing operations to users, scan for suspicious patterns: writes to /etc, /usr, ~/.ssh, .git/hooks.
- Flag operations that modify executable files or scripts.
- Require explicit confirmation for any operation outside the current project directory.
Patch discipline matters here too. AWS, Cursor, and Google fixed GhostApproval quickly. If you're using the other three vendors, you need to know their patch status. Add AI coding tools to your vulnerability management program. Track CVEs, monitor vendor advisories, test updates in non-production before rollout.
Reassess "human in the loop" assumptions. This vulnerability proves that showing users a prompt and waiting for approval isn't sufficient security. The human can only make good decisions if the information they're shown is accurate and complete. If your security policy relies on user approval as a control, document what information must be displayed and how it must be validated before presentation.
Update your acceptable use policy. Specify which AI coding tools are approved, what data they can access, and what operations require additional review. Make it clear that AI-generated code goes through the same security review as human-written code before it reaches production.
The core issue isn't that AI tools have vulnerabilities. All software does. The issue is that organizations are deploying these tools without the security controls they'd apply to any other privileged software. Fix that gap now, before you're explaining to auditors why an AI assistant wrote malicious code into your production environment.



