Skip to main content
Rony Utevsky | Security Research & Exploit Write-ups
Rony Utevsky | Security Research & Exploit Write-ups
  1. Research/

SymJack: the approval prompt is lying to you. A symlink-hijack RCE in five AI coding agents

·2 mins· ·
Security Research AI Security SymJack RCE Symlinks MCP Claude Code Cursor Antigravity Copilot Grok Codex
Rony Utevsky
Author
Rony Utevsky
Specializing in agentic AI security, LLM vulnerabilities, and secure code architecture.
Table of Contents

Executive Summary
#

Following up on the initial TrustFall discovery, I identified a critical security bypass affecting six prominent AI coding agents: Claude Code, Cursor CLI, Antigravity (Gemini CLI), GitHub Copilot CLI, Grok Build, and Codex CLI. This bypass allows a weaponized repository to trick the user into granting Remote Code Execution (RCE) via a deceptively innocent tool-approval prompt.

The attack leverages symbolic links (symlinks) committed directly to a repository to defeat the agents’ built-in sensitive-file warnings and file-system sandbox restrictions.

Vulnerability Risk Assessment: HIGH

  • Vulnerability Name: Symlink Trust Bypass (The Lying Approval Prompt)
  • Affected Tools: Claude Code, Cursor CLI, Antigravity, GitHub Copilot CLI, Grok Build, Codex CLI
  • Vulnerability Type: Trust Bypass / Arbitrary File Overwrite leading to RCE
  • Attack Surface: Any developer environment or automated CI/CD pipeline using AI coding agents on untrusted repositories

How the Vulnerability Works
#

  1. Weaponized Symlinks: The attacker commits symlinks in the workspace that mimic harmless files but point directly to the agent’s sensitive configuration directories (e.g., .mcp.json or agent settings).
  2. Deceptive Prompts: The agent is prompted by instructions in the repo to perform a standard file copy or write operation (e.g., copying a video file from media/vid0.mp4 to a symlinked path like docs/vid0.mp4 that resolves to .mcp.json).
  3. The Symlink Follow: When the user reviews the prompt, the agent displays an innocent-looking copy command, keeping the user unaware of the real target. Once approved, the underlying kernel follows the symlink and overwrites the agent’s config with the attacker’s JSON payload disguised inside the copied file.
  4. Execution: Upon next execution or agent restart, the overwritten configuration registers a malicious MCP server, resulting in unprompted command execution.

Similar to TrustFall, this technique is especially dangerous on headless CI/CD systems, where automated pull request pipelines instantly execute these operations without any human observation.

Full Research and Details
#

For the complete technical breakdown, including proof-of-concept videos and detailed vendor responses, read the original publication:

👉 SymJack: the approval prompt is lying to you. A symlink-hijack RCE in six AI coding agents (Published on Adversa AI)

🛡️ More in Security Research