CVE-2025-36730 in Windsurf
Summary
by MITRE • 10/14/2025
A prompt injection vulnerability exists in Windsurft version 1.10.7 in Write mode using SWE-1 model.
It is possible to create a file name that will be appended to the user prompt causing Windsurf to follow its instructions.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 10/14/2025
This vulnerability represents a critical prompt injection flaw in Windsurft version 1.10.7 that operates within the Write mode functionality when utilizing the SWE-1 model. The issue stems from inadequate input sanitization and validation mechanisms that fail to properly handle maliciously crafted file names. When users create files with specific naming conventions, these filenames become part of the user prompt that gets processed by the SWE-1 model, effectively allowing attackers to inject arbitrary instructions into the system's processing pipeline. The vulnerability manifests when the system appends the crafted filename to the existing user prompt without proper isolation or sanitization, creating a direct pathway for malicious command execution. This flaw falls under CWE-74, known as Improper Neutralization of Special Elements in Output Used by a Downstream Component, and specifically relates to CWE-94, which addresses Improper Control of Generation of Code, as the injected commands can potentially alter the code generation process. The operational impact is significant as it allows adversaries to manipulate the system's behavior through seemingly benign file creation activities, potentially leading to unauthorized code execution, data exfiltration, or system compromise. The attack vector is particularly concerning because it leverages legitimate user functionality to deliver malicious payloads, making detection more challenging and exploitation more stealthy.
The technical implementation of this vulnerability exploits the lack of proper parameter validation and input filtering within the prompt construction process. When the SWE-1 model processes user prompts in Write mode, it does not adequately separate user-generated content from system instructions, creating an environment where crafted filenames can contain malicious payloads that get interpreted as additional commands. This represents a classic case of command injection where the attack occurs not through traditional input fields but through file naming conventions that are subsequently processed as part of the prompt. The vulnerability aligns with ATT&CK technique T1059.001, which covers Command and Scripting Interpreter, and specifically targets the execution phase where attackers can inject commands through manipulated input sources. The system's failure to implement proper sandboxing or isolation mechanisms between user input and system processing creates an attack surface that can be exploited to bypass normal security controls.
Mitigation strategies must address both the immediate vulnerability and underlying architectural weaknesses. Organizations should implement strict input validation and sanitization for all user-generated content, particularly filenames and prompt inputs, ensuring that special characters and command sequences are properly escaped or removed before processing. The system should enforce proper separation between user input and system instructions through robust parameterization and input isolation techniques. Updates to Windsurft version 1.10.7 should include comprehensive input filtering that prevents filenames from containing potentially harmful sequences that could be interpreted as commands. Security measures should also incorporate runtime monitoring and anomaly detection to identify unusual prompt construction patterns that might indicate injection attempts. Additionally, implementing principle of least privilege access controls and restricting file creation capabilities in sensitive processing environments can significantly reduce the attack surface. Organizations should consider adopting defensive programming practices that separate user input processing from system command execution, ensuring that no user-controlled data can directly influence the execution flow of critical system components. The remediation process should also include comprehensive security testing of all input handling mechanisms to prevent similar vulnerabilities from existing in other system components.