CVE-2025-36730
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-14

Last updated on: 2025-10-14

Assigner: Tenable Network Security, Inc.

Description
A prompt injection vulnerability exists in Windsurft version 1.10.7 in Write mode using SWE-1 model. It is possible to create a file name that will be appended to the user prompt causing Windsurf to follow its instructions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-14
Last Modified
2025-10-14
Generated
2026-06-16
AI Q&A
2025-10-14
EPSS Evaluated
2026-06-14
NVD
CVE-2025-36730
EUVD
EUVD-2025-34255
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
windsurf windsurf 1.10.7
windsurf windsurf_extension 1.48.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-36730 is a prompt injection vulnerability in Windsurf version 1.10.7 when using Write mode with the SWE-1 model. The issue occurs because Windsurf appends filenames directly to user prompts. An attacker can create a malicious filename containing instructions that the AI assistant will execute without user consent. This allows unauthorized actions such as reading file contents and sending sensitive information to an external URL automatically when the directory is opened and the project authors are trusted. [1]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive project and system information, including usernames, operating system details, current working directory, IP address, and file contents. An attacker can exploit this by crafting malicious filenames that cause Windsurf to execute commands like connectivity tests and data exfiltration to external URLs without explicit user approval. This can compromise confidentiality and potentially expose private data. [1]

Detection Guidance

This vulnerability can be detected by monitoring for suspicious filenames in Windsurf project directories that contain embedded instructions or unusual prompt-like content. Since the exploit involves creating a malicious filename that Windsurf appends to user prompts, inspecting filenames for suspicious patterns or commands is key. Additionally, network monitoring for unexpected outbound connections to unknown URLs or webhooks triggered by Windsurf could indicate exploitation attempts. Specific commands are not provided in the resources, but users can list files in project directories and look for unusual filenames, and use network monitoring tools to detect unexpected HTTP requests. [1]

Mitigation Strategies

Immediate mitigation steps include avoiding trusting project authors in Windsurf to prevent the AI assistant from executing potentially malicious instructions embedded in filenames. Users should disable AI chat features by not trusting the workspace if unsure about the source. Additionally, users should be cautious when opening directories with untrusted files and monitor for suspicious filenames. Since no official fix is available yet, exercising caution and limiting the use of the vulnerable Write mode with the SWE-1 model is advised. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-36730. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart