[Eclipse Theia] Identified Vulnerabilities in Eclipse Theia AI Features (#331) · Issues · Eclipse Projects Security / vulnerability-reports

[Eclipse Theia] Identified Vulnerabilities in Eclipse Theia AI Features

**Overview of Vulnerabilities** The identified issues fall into two categories: 1. **Prompt Injection Primitives** 1. **Prompt Injection via Adversarial Filenames/Directories**: Directory names containing instructions can influence the AI agent's behavior when analyzing a repository 2. **Prompt Injection via Prompt Template Files**: Files matching the pattern _.prompts/\*.prompttemplate_ are automatically loaded and can override the AI's system prompts. This works on macOS and intermittently on Windows depending on the message and template used. 2. **Impact Vulnerabilities** 1. **Data Exfiltration via Markdown Images**: The AI can be manipulated to generate Markdown image tags that trigger HTTP requests, enabling data exfiltration⁠ 2. **Arbitrary Command Execution via Custom Task Definition**: When combined with specific settings in _.theia/settings.json_ that disable tool confirmation, malicious task definitions in _.theia/tasks.json_ can be executed automatically **Attack Scenarios** These vulnerabilities can be chained to create complete attack scenarios that require the user only to clone a malicious repository, open it in Theia and send a message through the AI Chat (in some case the message can be arbitrary): 1. **Prompt injection through template file leading to data exfiltration via Markdown image** 2. **Prompt injection through template file leading to arbitrary code execution via _tasks.json_ definition** 3. **Adversarial directory prompt injection leading to data exfiltration via Markdown image** 4. **Adversarial directory prompt injection leading to arbitrary code execution via _tasks.json_ definition** **Proof of Concepts** Please find a link to the 4 Proof of Concepts (including videos) here: [https://drive.google.com/<wbr>drive/folders/<wbr>1EfGFVGc1gxN93hyMRbaRkPZx9Q2FJ<wbr>Dkf?usp=sharing](https://drive.google.com/drive/folders/1EfGFVGc1gxN93hyMRbaRkPZx9Q2FJDkf?usp=sharing) **Severity Assessment** These vulnerabilities should be considered high severity as they enable: * Arbitrary code execution with user privileges * Exfiltration of sensitive data * Fully automated attacks requiring minimal user interaction

issue