CVE-2025-36730
BaseFortify
Publication date: 2025-10-14
Last updated on: 2025-10-14
Assigner: Tenable Network Security, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| windsurf | windsurf | 1.10.7 |
| windsurf | windsurf_extension | 1.48.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-36730 is a prompt injection vulnerability in Windsurf version 1.10.7 when using Write mode with the SWE-1 model. The issue occurs because Windsurf appends filenames directly to user prompts. An attacker can create a malicious filename containing instructions that the AI assistant will execute without user consent. This allows unauthorized actions such as reading file contents and sending sensitive information to an external URL automatically when the directory is opened and the project authors are trusted. [1]
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive project and system information, including usernames, operating system details, current working directory, IP address, and file contents. An attacker can exploit this by crafting malicious filenames that cause Windsurf to execute commands like connectivity tests and data exfiltration to external URLs without explicit user approval. This can compromise confidentiality and potentially expose private data. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious filenames in Windsurf project directories that contain embedded instructions or unusual prompt-like content. Since the exploit involves creating a malicious filename that Windsurf appends to user prompts, inspecting filenames for suspicious patterns or commands is key. Additionally, network monitoring for unexpected outbound connections to unknown URLs or webhooks triggered by Windsurf could indicate exploitation attempts. Specific commands are not provided in the resources, but users can list files in project directories and look for unusual filenames, and use network monitoring tools to detect unexpected HTTP requests. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding trusting project authors in Windsurf to prevent the AI assistant from executing potentially malicious instructions embedded in filenames. Users should disable AI chat features by not trusting the workspace if unsure about the source. Additionally, users should be cautious when opening directories with untrusted files and monitor for suspicious filenames. Since no official fix is available yet, exercising caution and limiting the use of the vulnerable Write mode with the SWE-1 model is advised. [1]