| 제목 | Kilo Code Kilo Code VS Code Extension 4.86.0 Insecure Permissions |
|---|
| 설명 | The Kilo Code agent VS Code Extension fails to prevent writes outside of the working directory. This allows for the editing of the `settings.json` file. Through an indirect prompt injection, an attacker can set a user up to have the Kilo Code agent a) modify the settings.json file to whitelist previously unwhitelisted commands b) poison the supply chain via git invocations.
The user falls into this issue when attempting to interact with some untrusted data source, such as a compromised project, or a GitHub issue. |
|---|
| 원천 | ⚠️ https://mcpsec.dev/advisories/2025-10-02-kilo-code-ai-agent-supply-chain-attack/ |
|---|
| 사용자 | echarris128 (UID 91221) |
|---|
| 제출 | 2025. 10. 02. AM 12:55 (9 개월 ago) |
|---|
| 모더레이션 | 2025. 10. 07. PM 03:30 (6 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 327382 [Kilo Code 까지 4.86.0 Prompt ClineProvider.ts ClineProvider 권한 상승] |
|---|
| 포인트들 | 20 |
|---|