GhostApproval: A symlink flaw undermining trust in AI coding assistants
Researchers found a symlink-based flaw in six major AI coding assistants, where approval dialogs hide the real file target, undermining human oversight.
Security researchers uncovered a systemic vulnerability dubbed GhostApproval affecting six leading AI coding assistants — Amazon Q Developer, Anthropic Claude Code, Augment, Cursor, Google Antigravity, and Windsurf. By planting a symbolic link inside a malicious repository, an attacker can trick the agent into writing to files outside the workspace sandbox, such as ~/.ssh/authorized_keys, exploiting the decades-old CWE-61 symlink primitive. In several tools, this was compounded by CWE-451: the agent's internal reasoning correctly identified the dangerous target, but the confirmation dialog shown to the user concealed it entirely.
The clearest case was Claude Code, where the agent's reasoning explicitly recognized a file as a zsh configuration file, yet the approval prompt displayed only an innocuous-looking filename — turning human-in-the-loop oversight into a rubber stamp.
All six vendors were notified. AWS, Cursor, and Google shipped fixes promptly; two vendors acknowledged the report but went quiet; Anthropic rejected it as being outside its threat model. Amazon Q Developer was found to write to disk before even presenting a confirmation, only offering an after-the-fact undo option — effectively bypassing user consent altogether.
The research highlights how fragile trust boundaries can be in rapidly shipped, agentic coding tools. For engineers, the takeaway is clear: user approval in AI agents is meaningless unless the UI faithfully represents what the agent is actually about to do.