CVE-2025-36730

Vulnerability

Overview

A prompt injection vulnerability exists in Windsurf version 1.10.7 when using Write mode with the SWE-1 model. The root cause is that the AI assistant appends the filename of opened files to the user prompt without sanitization. An attacker can create a file with a name containing embedded instructions, which the AI then interprets and executes as part of its task [1].

Exploitation

To exploit this, an attacker must be able to create files in a directory that the victim opens in Windsurf. When the victim opens the folder and uses Write mode, the AI reads the filename and follows the injected instructions. The Workspace Trust feature in VS Code can prevent AI features if the user explicitly chooses not to trust the authors, but this effectively disables the AI coding assistant, making it an impractical mitigation [1].

Impact

The injected instructions can direct the AI to perform actions such as reading a webhook URL and exfiltrating sensitive system information (username, OS, current directory, IP address, etc.) to an attacker-controlled server. This could lead to data leakage and further compromise if the attacker gains access to the victim's environment [1].

Mitigation

As of the publication date, no patch has been released for Windsurf 1.10.7. The vendor suggests using Workspace Trust, but this disables the AI assistant entirely. Users should avoid opening untrusted directories in Windsurf until a fix is available [1].