GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents
Researchers have identified symlink vulnerabilities in GhostApproval, a tool designed to manage approval workflows for AI coding agents. The flaws could allow malicious repositories to execute arbitrary code on a developer's machine by exploiting symlink handling. GhostApproval is used to approve or deny actions taken by AI agents, such as code changes or file modifications. The vulnerabilities bypass the intended approval mechanism, potentially leading to unauthorized code execution. The researchers demonstrated that an attacker could create a repository with malicious symlinks that, when processed by GhostApproval, would execute code without proper user consent. This poses a significant risk to developers using AI coding agents that rely on GhostApproval for security checks. The findings highlight the need for careful validation of symlink operations in tools that interact with untrusted repositories.
Symlink flaws in GhostApproval could let malicious repos execute code on developer machines.