diff --git a/README.md b/README.md index e2f29271..ab1c4dc0 100644 --- a/README.md +++ b/README.md @@ -244,7 +244,7 @@ Crust ships with **41 security rules** (38 locked, 3 user-disablable) and **51 D All rules are open source: [`internal/rules/builtin/security.yaml`](internal/rules/builtin/security.yaml) (path rules), [`internal/rules/dlp.go`](internal/rules/dlp.go) (DLP patterns), and [`internal/rules/dlp_crypto.go`](internal/rules/dlp_crypto.go) (crypto key detection) -These defenses are validated against [**51 real-world CVEs**](docs/cve-tracker.md) affecting Cursor, GitHub Copilot, Claude Code, OpenAI Codex CLI, and other AI agents — including prompt injection, config hijacking, env var poisoning, and token exfiltration attacks. +These defenses are validated against [**84 real-world CVEs**](docs/cve-tracker.md) affecting Cursor, GitHub Copilot, Claude Code, OpenAI Codex CLI, and other AI agents — including prompt injection, config hijacking, env var poisoning, and token exfiltration attacks. ### Custom Rules diff --git a/docs/cve-reference.md b/docs/cve-reference.md new file mode 100644 index 00000000..9a66cf6a --- /dev/null +++ b/docs/cve-reference.md @@ -0,0 +1,104 @@ +# CVE Reference Table + +Complete inventory of all vulnerabilities tracked by Crust, derived from [cve-tracker.md](cve-tracker.md). + +**Last verified:** 2026-03-30 | **Total: 84** (71 Full, 1 Partial, 12 Not defensible) + +## Full Defense (71) + +| CVE ID | Product | CVSS | CWE | Attack Vector | Defense Layer | +|--------|---------|------|-----|---------------|---------------| +| [CVE-2025-54135](https://nvd.nist.gov/vuln/detail/CVE-2025-54135) | Cursor | 9.8 | CWE-77 | CurXecute: prompt injection → write `.cursor/mcp.json` → MCP Auto-Run executes malicious commands | `protect-agent-config` + MCP gateway | +| [CVE-2025-54136](https://nvd.nist.gov/vuln/detail/CVE-2025-54136) | Cursor | 8.8 | CWE-77 | MCPoison: approved MCP server config changes trusted by name → silent command injection | `protect-agent-config` blocks `.cursor/mcp.json` writes | +| [CVE-2025-61590](https://nvd.nist.gov/vuln/detail/CVE-2025-61590) | Cursor | 7.5 | CWE-77 | RCE through `.code-workspace` file manipulation via compromised MCP server | `protect-vscode-settings` blocks `*.code-workspace` writes | +| [CVE-2025-61592](https://nvd.nist.gov/vuln/detail/CVE-2025-61592) | Cursor | 8.8 | CWE-77 | Auto-loading `.cursor/cli.json` from working directory → arbitrary config injection | `protect-agent-config` blocks `.cursor/cli.json` writes | +| [CVE-2025-61593](https://nvd.nist.gov/vuln/detail/CVE-2025-61593) | Cursor | 8.8 | CWE-77 | Cursor CLI Agent file modification bypasses sensitive file protection | Credential and system file rules | +| [CVE-2025-59944](https://nvd.nist.gov/vuln/detail/CVE-2025-59944) | Cursor | 8.0 | CWE-178 | Case-insensitive path bypass: `.Cursor/mcp.json` evades config protection | `pathutil` filesystem-based case sensitivity detection | +| [CVE-2026-22708](https://nvd.nist.gov/vuln/detail/CVE-2026-22708) | Cursor | 8.6 | CWE-77 | Shell builtins (`export`, `typeset`) poison env vars to hijack allowlisted commands | `envDB` engine (54 vars, 4 OSes) | +| [CVE-2025-64107](https://github.com/cursor/cursor/security/advisories/GHSA-2jr2-8wf5-v6pf) | Cursor | 8.8 | N/A | Sensitive File Protection Bypass — Path Manipulation Using Backslashes on Windows | `pathutil` normalizes backslashes + credential rules | +| [CVE-2025-64108](https://github.com/cursor/cursor/security/advisories/GHSA-6r98-6qcw-rxrw) | Cursor | 8.8 | N/A | Sensitive File Modification — NTFS Path Quirks | `pathutil` NTFS path normalization + credential rules | +| [GHSA-wj33-264c-j9cq](https://github.com/cursor/cursor/security/advisories/GHSA-wj33-264c-j9cq) | Cursor | 8.8 | CWE-78 | RCE in Cursor CLI via Cursor Agent MCP OAuth2 Communication | Shell AST parser detects injected commands in OAuth flow | +| [GHSA-v64q-396f-7m79](https://github.com/cursor/cursor/security/advisories/GHSA-v64q-396f-7m79) | Cursor | 8.8 | CWE-829 | Arbitrary code execution — Permissive CLI Config in Cursor CLI | `protect-agent-config` blocks CLI config writes | +| [CVE-2025-64109](https://github.com/cursor/cursor/security/advisories/GHSA-4hwr-97q3-37w2) | Cursor | 8.8 | CWE-78 | Command Injection via Untrusted MCP Configuration in Cursor CLI Beta | MCP gateway intercepts tool calls; shell AST parser | +| [GHSA-4cxx-hrm3-49rm](https://github.com/cursor/cursor/security/advisories/GHSA-4cxx-hrm3-49rm) | Cursor | 8.6 | CWE-78, CWE-829 | Arbitrary code execution via prompt injection via MCP Special Files | MCP gateway + `protect-agent-config` | +| [CVE-2026-26268](https://github.com/cursor/cursor/security/advisories/GHSA-8pcm-8jpx-hv8r) | Cursor | 8.1 | N/A | Sandbox escape via Git hooks | `protect-git-hooks` blocks `.git/hooks/` writes | +| [GHSA-xcwh-rrwj-gxc7](https://github.com/cursor/cursor/security/advisories/GHSA-xcwh-rrwj-gxc7) | Cursor | 8.1 | CWE-178 | Cursor IDE — Sensitive File Overwrite Bypass | `pathutil` case sensitivity detection + credential rules | +| [CVE-2025-32018](https://github.com/cursor/cursor/security/advisories/GHSA-qjh8-mh96-fc86) | Cursor | 8.1 | CWE-20 | Arbitrary file write via prompt injection from malicious @Docs | Credential/system file rules block sensitive writes | +| [CVE-2025-64110](https://github.com/cursor/cursor/security/advisories/GHSA-vhc2-fjv4-wqch) | Cursor | 8.0 | N/A | Cursorignore Bypass via New Cursorignore Write | `protect-agent-config` blocks config file writes | +| [CVE-2026-31854](https://github.com/cursor/cursor/security/advisories/GHSA-hf2x-r83r-qw5q) | Cursor | 8.0 | CWE-78 | Arbitrary Code Execution via Prompt Injection and Whitelist Bypass | Shell AST parser + credential rules | +| [GHSA-82wg-qcm4-fp2w](https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w) | Cursor | 8.0 | CWE-78 | Terminal Tool Allowlist Bypass via Environment Variables | `envDB` engine detects env var poisoning | +| [CVE-2024-48919](https://github.com/cursor/cursor/security/advisories/GHSA-rmj9-23rg-gr67) | Cursor | 8.0 | CWE-20 | RCE via Prompt Injection Into Cursor's Terminal Cmd-K | Shell AST parser detects injected commands | +| [GHSA-xg6w-rmh5-r77r](https://github.com/cursor/cursor/security/advisories/GHSA-xg6w-rmh5-r77r) | Cursor | 7.5 | N/A | RCE via .code-workspace files using Prompt Injection | `protect-vscode-settings` blocks `.code-workspace` writes | +| [CVE-2025-54130](https://github.com/cursor/cursor/security/advisories/GHSA-vqv7-vq92-x87f) | Cursor | 7.5 | N/A | Arbitrary code execution via prompt injection via Editor Special Files | `protect-agent-config` + shell AST parser | +| [GHSA-24mc-g4xr-4395](https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395) | Cursor | 7.2 | CWE-78, CWE-494 | Modification of MCP Server Definitions Bypasses Manual Re-approval | `protect-agent-config` blocks MCP config writes | +| [GHSA-x2vq-h6v6-jhc6](https://github.com/cursor/cursor/security/advisories/GHSA-x2vq-h6v6-jhc6) | Cursor | 7.1 | CWE-178 | Cursor CLI Agent — Sensitive File Overwrite Bypass | `pathutil` case sensitivity + credential rules | +| [CVE-2025-6514](https://nvd.nist.gov/vuln/detail/CVE-2025-6514) | GitHub Copilot | 9.6 | CWE-77 | Malicious MCP server → OAuth `authorization_endpoint` injection → command execution | Shell AST parser detects injected commands in URLs | +| [CVE-2026-21516](https://nvd.nist.gov/vuln/detail/CVE-2026-21516) | GitHub Copilot | 8.8 | CWE-77 | Command injection via Copilot Chat language switching → JetBrains terminal RCE | Shell AST parser + DLP | +| [CVE-2025-64660](https://nvd.nist.gov/vuln/detail/CVE-2025-64660) | GitHub Copilot | 8.0 | CWE-94 | Prompt injection writes `.vscode/launch.json` or `tasks.json` → RCE on debug/build | `protect-vscode-settings` blocks `launch.json` and `tasks.json` writes | +| RoguePilot | GitHub Copilot | High | CWE-94 | Prompt injection via GitHub Issue → Copilot token leak → GitHub repo takeover | DLP detects GitHub token exfiltration; shell AST | +| [CVE-2025-52882](https://nvd.nist.gov/vuln/detail/CVE-2025-52882) | Claude Code | 8.8 | CWE-918 | Malicious webpage scans localhost → WebSocket hijack → execute MCP commands | MCP gateway + self-protection blocks management API | +| [CVE-2025-59536](https://nvd.nist.gov/vuln/detail/CVE-2025-59536) | Claude Code | 8.7 | CWE-77 | Malicious `.claude/settings.json` injects Hooks → auto-executes shell commands | `protect-agent-config` blocks `.claude/settings*.json` writes | +| [CVE-2025-54795](https://nvd.nist.gov/vuln/detail/CVE-2025-54795) | Claude Code | 8.7 | CWE-77 | InversePrompt: malformed echo command bypasses approval prompt → arbitrary execution | Shell AST parser detects injected commands | +| [CVE-2026-25725](https://nvd.nist.gov/vuln/detail/CVE-2026-25725) | Claude Code | 7.7 | CWE-269 | Sandbox escape: missing `settings.json` allows persistent hook injection | `protect-agent-config` blocks writes regardless of file pre-existence | +| [CVE-2026-33068](https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7) | Claude Code | 8.0 | CWE-807 | Workspace Trust Dialog Bypass via Repo-Controlled Settings File | `protect-agent-config` blocks settings file writes | +| [CVE-2026-25722](https://github.com/anthropics/claude-code/security/advisories/GHSA-66q4-vfjg-2qhh) | Claude Code | 8.0 | CWE-20, CWE-78 | Command Injection via Directory Change Bypasses Write Protection | Shell AST parser detects injected commands | +| [CVE-2026-25723](https://github.com/anthropics/claude-code/security/advisories/GHSA-mhg7-666j-cqg4) | Claude Code | 8.0 | CWE-20, CWE-78 | Command Injection via Piped sed Command Bypasses File Write Restrictions | Shell AST parser detects piped command chains | +| [GHSA-ff64-7w26-62rf](https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf) | Claude Code | 8.0 | CWE-501, CWE-668 | Sandbox Escape via Persistent Configuration Injection in settings.json | `protect-agent-config` blocks `.claude/settings*.json` writes | +| [CVE-2026-24887](https://github.com/anthropics/claude-code/security/advisories/GHSA-qgqw-h4xq-7w8w) | Claude Code | 8.0 | CWE-78, CWE-94 | Command Injection in find Command Bypasses User Approval Prompt | Shell AST parser detects injected commands in find args | +| [CVE-2026-24053](https://github.com/anthropics/claude-code/security/advisories/GHSA-q728-gf8j-w49r) | Claude Code | 8.0 | CWE-20, CWE-22, CWE-78 | Path Restriction Bypass via ZSH Clobber Allows Arbitrary File Writes | Path normalization + credential/system file rules | +| [CVE-2026-24052](https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf) | Claude Code | 8.0 | CWE-20, CWE-601 | Domain Validation Bypass Allows Automatic Requests to Attacker-Controlled Domains | DLP detects exfiltration; host blocking rules | +| [CVE-2025-66032](https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3) | Claude Code | 8.0 | CWE-77 | Command Validation Bypass Allows Arbitrary Code Execution | Shell AST parser detects command injection | +| [CVE-2025-65099](https://github.com/anthropics/claude-code/security/advisories/GHSA-5hhx-v7f6-x7gv) | Claude Code | 8.0 | CWE-94 | Command execution prior to Claude Code startup trust dialog | Crust intercepts all tool calls regardless of trust state | +| [CVE-2025-64755](https://github.com/anthropics/claude-code/security/advisories/GHSA-7mv8-j34q-vp7q) | Claude Code | 8.0 | CWE-78 | Sed Command Validation Bypass Allows Arbitrary File Writes | Shell AST parser detects sed command injection | +| [GHSA-4fgq-fpq9-mr3g](https://github.com/anthropics/claude-code/security/advisories/GHSA-4fgq-fpq9-mr3g) | Claude Code | 8.0 | CWE-94 | Command execution prior to Claude Code startup trust dialog | Crust intercepts all tool calls regardless of trust state | +| [CVE-2025-59041](https://github.com/anthropics/claude-code/security/advisories/GHSA-j4h9-wv2m-wrf7) | Claude Code | 8.0 | CWE-94 | Arbitrary code execution caused by maliciously configured git email | Shell AST parser + `protect-agent-config` | +| [CVE-2025-58764](https://github.com/anthropics/claude-code/security/advisories/GHSA-qxfv-fcpc-w36x) | Claude Code | 8.0 | CWE-94 | Command Injection in rg command bypasses user approval prompt | Shell AST parser detects injected commands in rg args | +| [GHSA-ph6w-f82w-28w6](https://github.com/anthropics/claude-code/security/advisories/GHSA-ph6w-f82w-28w6) | Claude Code | 8.0 | CWE-94 | Arbitrary Code Execution Due to Insufficient Startup Warning | Crust intercepts all tool calls regardless of startup state | +| [CVE-2025-55284](https://github.com/anthropics/claude-code/security/advisories/GHSA-x5gv-jw7f-j6xj) | Claude Code | 8.0 | CWE-78 | Permissive Default Allowlist Enables File Read and Network Exfiltration | DLP + credential rules + host blocking | +| [GHSA-x56v-x2h6-7j34](https://github.com/anthropics/claude-code/security/advisories/GHSA-x56v-x2h6-7j34) | Claude Code | 8.0 | CWE-78 | Command Injection in echo command bypasses user approval prompt | Shell AST parser (same class as CVE-2025-54795) | +| [CVE-2025-54794](https://github.com/anthropics/claude-code/security/advisories/GHSA-pmw4-pwvc-3hx2) | Claude Code | 8.0 | CWE-22 | Path Restriction Bypass — unauthorized file access when path prefixes collide | Path normalization resolves prefix collisions | +| [GHSA-9f65-56v6-gxw7](https://github.com/anthropics/claude-code/security/advisories/GHSA-9f65-56v6-gxw7) | Claude Code | 8.0 | N/A | IDE extensions allow websocket connections from arbitrary origins | MCP HTTP Gateway origin validation | +| [CVE-2025-49596](https://nvd.nist.gov/vuln/detail/CVE-2025-49596) | MCP Inspector | 9.4 | CWE-352 | Browser CSRF → unauthenticated RCE via MCP Inspector | MCP HTTP Gateway origin validation | +| [CVE-2025-53109](https://nvd.nist.gov/vuln/detail/CVE-2025-53109) | MCP Servers | 7.3–8.4 | CWE-22 | EscapeRoute: path prefix matching bypass → sandbox file read | MCP gateway intercepts `resources/read` and `tools/call` | +| [CVE-2025-53110](https://nvd.nist.gov/vuln/detail/CVE-2025-53110) | MCP Servers | 7.3–8.4 | CWE-22 | EscapeRoute: symlink escape → sandbox file write | Credential rules detect sensitive file access | +| [CVE-2025-68143](https://nvd.nist.gov/vuln/detail/CVE-2025-68143) | MCP Git Server | High | CWE-77 | `git_init` arbitrary path creation | `protect-git-hooks` blocks `.git/hooks/` writes | +| [CVE-2025-68144](https://nvd.nist.gov/vuln/detail/CVE-2025-68144) | MCP Git Server | High | CWE-22 | `git_diff` argument injection → write malicious `.git/hooks` | Shell AST detects argument injection | +| [CVE-2025-68145](https://nvd.nist.gov/vuln/detail/CVE-2025-68145) | MCP Git Server | High | CWE-77 | Chained git_init + git_diff → RCE via git hooks | `protect-git-hooks` + shell AST | +| [CVE-2026-23744](https://nvd.nist.gov/vuln/detail/CVE-2026-23744) | MCP Inspector | 9.8 | CWE-306, CWE-78 | MCPJam: Inspector binds 0.0.0.0 without auth → install malicious MCP server → RCE | MCP gateway intercepts all tool calls; self-protection | +| [CVE-2026-33989](https://nvd.nist.gov/vuln/detail/CVE-2026-33989) | MCP Ecosystem | 8.1 | CWE-22, CWE-73 | Mobile Next MCP server path traversal | MCP gateway intercepts tool calls; path normalization | +| [GHSA-hc55-p739-j48w](https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-hc55-p739-j48w) | MCP Servers | 8.0 | N/A | Path validation bypass via colliding path prefix | Path normalization resolves prefix collisions | +| [GHSA-q66q-fx2p-7w4m](https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-q66q-fx2p-7w4m) | MCP Servers | 8.0 | N/A | Path validation bypass via symlink handling | Symlink resolution (Step 6) | +| [CVE-2025-66414](https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-w48q-cv73-mx4w) | MCP TS SDK | 8.0 | CWE-1188 | DNS Rebinding Protection Disabled by Default (TS SDK) | MCP HTTP Gateway origin validation | +| [CVE-2025-66416](https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f) | MCP Python SDK | 8.0 | CWE-1188 | DNS Rebinding Protection Disabled by Default (Python SDK) | MCP HTTP Gateway origin validation | +| [CVE-2026-33946](https://nvd.nist.gov/vuln/detail/CVE-2026-33946) | MCP Ruby SDK | 8.2 | CWE-384, CWE-639 | Session fixation / authorization bypass — attacker hijacks session | MCP gateway evaluates all tool calls regardless of session state | +| [CVE-2026-25253](https://nvd.nist.gov/vuln/detail/CVE-2026-25253) | OpenClaw | 8.8 | CWE-918 | Browser WebSocket hijack → steal auth token → disable sandbox → RCE | MCP HTTP Gateway origin validation; DLP | +| [CVE-2025-61260](https://nvd.nist.gov/vuln/detail/CVE-2025-61260) | OpenAI Codex CLI | 9.8 | CWE-77 | `.env` redirects CODEX_HOME → auto-loads malicious MCP config.toml | `protect-agent-config` + `protect-env-files` | +| [CVE-2025-59532](https://github.com/openai/codex/security/advisories/GHSA-w5fx-fh39-j5rw) | Codex CLI | 8.0 | N/A | Sandbox bypass due to bug in path configuration logic | Path normalization + credential rules | +| [CVE-2026-30741](https://nvd.nist.gov/vuln/detail/CVE-2026-30741) | OpenClaw/OpenCode | 9.8 | CWE-77 | Request-side prompt injection → terminal commands via MCP tools | MCP gateway + shell AST parser | +| [CVE-2026-22812](https://nvd.nist.gov/vuln/detail/CVE-2026-22812) | OpenClaw/OpenCode | 8.8 | CWE-284 | Unauthenticated HTTP server with permissive CORS → localhost command execution | Self-protection blocks localhost API; MCP gateway | +| [CVE-2025-53536](https://nvd.nist.gov/vuln/detail/CVE-2025-53536) | Roo Code | 8.1 | CWE-77 | "Write" auto-approved → prompt injection writes VS Code settings and `.roo/` config | `protect-vscode-settings` + `protect-agent-config` | +| [CVE-2026-21852](https://nvd.nist.gov/vuln/detail/CVE-2026-21852) | (low-severity) | <8.0 | — | Env var redirect via `.env` ANTHROPIC_BASE_URL overrides | Config redirect scanner | +| [CVE-2026-4270](https://nvd.nist.gov/vuln/detail/CVE-2026-4270) | (low-severity) | <8.0 | — | AWS MCP server-side path traversal | Path traversal suffix stripping + DLP | + +## Partial Defense (1) + +| CVE ID | Product | CVSS | CWE | Attack Vector | Defense Layer | +|--------|---------|------|-----|---------------|---------------| +| [CVE-2026-33980](https://nvd.nist.gov/vuln/detail/CVE-2026-33980) | MCP Ecosystem | 8.3 | CWE-943 | Azure Data Explorer MCP Server — KQL injection via tool calls | Crust sees tool call args but lacks KQL parser for injection detection | + +## Not Defensible (12) + +| CVE ID | Product | CVSS | Why Not Defensible | +|--------|---------|------|--------------------| +| [CVE-2025-64106](https://nvd.nist.gov/vuln/detail/CVE-2025-64106) | Cursor | 8.8 | IDE-internal deep-link MCP install flow — outside interception scope | +| [CVE-2025-61591](https://nvd.nist.gov/vuln/detail/CVE-2025-61591) | Cursor | 8.8 | MCP OAuth impersonation — auth-layer attack, outside Crust's scope | +| [GHSA-4575-fh42-7848](https://github.com/cursor/cursor/security/advisories/GHSA-4575-fh42-7848) | Cursor | 8.8 | IDE-internal deep-link modal bypass — outside interception scope | +| [CVE-2026-26118](https://nvd.nist.gov/vuln/detail/CVE-2026-26118) | Azure MCP Server | 8.8 | Server-side SSRF leaks managed identity token — executes inside MCP server process | +| [CVE-2026-21523](https://nvd.nist.gov/vuln/detail/CVE-2026-21523) | Copilot/VS Code | 8.0 | TOCTOU race condition in IDE file handling — no tool calls involved | +| [CVE-2025-59828](https://github.com/anthropics/claude-code/security/advisories/GHSA-2jjv-qf24-vfm4) | Claude Code | 8.0 | In-process plugin autoloading via Yarn — outside Crust's interception scope | +| [CVE-2026-0621](https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-cqwc-fm46-7fff) | MCP TS SDK | 8.0 | ReDoS — denial of service, outside scope | +| [CVE-2025-53366](https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-3qhf-m339-9g5v) | MCP Python SDK | 8.0 | FastMCP validation error DoS — outside scope | +| [CVE-2025-53365](https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-j975-95f5-7wqh) | MCP Python SDK | 8.0 | Streamable HTTP transport DoS — outside scope | +| [CVE-2026-25536](https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7) | MCP TS SDK | 7.1 | In-process SDK race condition — cross-client data leak, outside Crust scope | +| [CVE-2025-58335](https://nvd.nist.gov/vuln/detail/CVE-2025-58335) | Junie | <8.0 | IDE-internal information disclosure | +| [CVE-2026-27576](https://nvd.nist.gov/vuln/detail/CVE-2026-27576) | (low-severity) | <8.0 | Denial of service — outside scope | diff --git a/docs/cve-tracker-archive.md b/docs/cve-tracker-archive.md new file mode 100644 index 00000000..bc695b84 --- /dev/null +++ b/docs/cve-tracker-archive.md @@ -0,0 +1,147 @@ +# AI Agent Vulnerability Tracker — Archive + +Resolved CVEs that have been archived from the [active tracker](cve-tracker.md). +These entries had **Full** Crust defense and were patched by the vendor. + + +## Archived on 2026-03-23 + +### Cursor + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2025-54135](https://nvd.nist.gov/vuln/detail/CVE-2025-54135) | **9.8** | CWE-77 | CurXecute: prompt injection → write `.cursor/mcp.json` → MCP Auto-Run executes malicious commands without confirmation | **Full** | `protect-agent-config` locked rule + MCP gateway | Patched: Cursor 1.3 (2025.08) | +| [CVE-2025-54136](https://nvd.nist.gov/vuln/detail/CVE-2025-54136) | **8.8** | CWE-77 | MCPoison: once MCP server approved, config changes trusted by name → silent malicious command injection | **Full** | `protect-agent-config` blocks `.cursor/mcp.json` writes | Patched | +| [CVE-2025-61590](https://nvd.nist.gov/vuln/detail/CVE-2025-61590) | **7.5** | CWE-77 | RCE through `.code-workspace` file manipulation via compromised MCP server | **Full** | `protect-vscode-settings` blocks `*.code-workspace` writes | Patched | +| [CVE-2025-61592](https://nvd.nist.gov/vuln/detail/CVE-2025-61592) | **8.8** | CWE-77 | Auto-loading `.cursor/cli.json` from working directory → arbitrary config injection | **Full** | `protect-agent-config` blocks `.cursor/cli.json` writes | Patched | +| [CVE-2025-61593](https://nvd.nist.gov/vuln/detail/CVE-2025-61593) | **8.8** | CWE-77 | Cursor CLI Agent file modification bypasses sensitive file protection | **Full** | Credential and system file rules block sensitive file modifications | Patched | +| [CVE-2025-59944](https://nvd.nist.gov/vuln/detail/CVE-2025-59944) | **8.0** | CWE-178 | Case-insensitive path bypass: agent writes `.Cursor/mcp.json` or `.CURSOR/mcp.json` to evade case-sensitive config protection | **Full** | `pathutil` filesystem-based case sensitivity detection + `protect-agent-config` locked rule | Patched | + +### GitHub Copilot + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2025-6514](https://nvd.nist.gov/vuln/detail/CVE-2025-6514) | **9.6** | CWE-77 | Connect to malicious MCP server → OAuth `authorization_endpoint` injection → command execution | **Full** | Step 5–6 (shell AST parser detects injected commands in URLs) | Patched | +| [CVE-2026-21516](https://nvd.nist.gov/vuln/detail/CVE-2026-21516) | **8.8** | CWE-77 | Command injection via Copilot Chat language switching → JetBrains terminal command execution → RCE | **Full** | Step 5–6 (shell AST parser) + DLP | Patched: Feb 2026 | +| [CVE-2025-64660](https://nvd.nist.gov/vuln/detail/CVE-2025-64660) | **8.0** | CWE-94 | Prompt injection writes `.vscode/launch.json` or `tasks.json` to specify malicious executables or shell tasks → RCE on debug/build | **Full** | `protect-vscode-settings` blocks `launch.json` and `tasks.json` writes | Patched | +| RoguePilot | High | CWE-94 | Prompt injection via GitHub Issue → Copilot token leak in Codespaces → GitHub repo takeover | **Full** | DLP detects GitHub token exfiltration; shell AST detects exfiltration commands | Patched: Feb 2026 | + +### Claude Code + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2025-52882](https://nvd.nist.gov/vuln/detail/CVE-2025-52882) | **8.8** | CWE-918 | Malicious webpage scans localhost ports → WebSocket hijack → execute MCP commands | **Full** | MCP gateway intercepts tool calls + self-protection blocks management API access | Patched | +| [CVE-2025-59536](https://nvd.nist.gov/vuln/detail/CVE-2025-59536) | **8.7** | CWE-77 | Malicious `.claude/settings.json` injects Hooks → SessionStart auto-executes shell commands | **Full** | `protect-agent-config` locked rule blocks `.claude/settings*.json` writes; shell AST detects injected commands | Patched | +| [CVE-2025-54795](https://nvd.nist.gov/vuln/detail/CVE-2025-54795) | **8.7** | CWE-77 | InversePrompt: malformed echo command bypasses approval prompt → arbitrary command execution | **Full** | Shell AST parser (Steps 5-6) detects injected commands regardless of approval state | Patched | +| [CVE-2026-25725](https://nvd.nist.gov/vuln/detail/CVE-2026-25725) | **7.7** | CWE-269 | Sandbox escape: missing `settings.json` at startup allows persistent hook injection with host privileges | **Full** | `protect-agent-config` blocks `.claude/settings*.json` writes regardless of file pre-existence | Patched | + +### Cursor (additional) + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2026-22708](https://nvd.nist.gov/vuln/detail/CVE-2026-22708) | **8.6** | CWE-77 | Shell builtins (`export`, `typeset`) poison env vars (PERL5OPT, PYTHONWARNINGS) to hijack allowlisted commands | **Full** | `envDB` engine check (54 vars, 4 OSes): catches export, inline, env wrapper, sh -c recursive, PS $env:/Set-Item/New-Item + backtick escape | Patched | + +### MCP Ecosystem + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2025-49596](https://nvd.nist.gov/vuln/detail/CVE-2025-49596) | **9.4** | CWE-352 | Browser CSRF → unauthenticated RCE via MCP Inspector | **Full** | MCP HTTP Gateway origin validation blocks cross-origin browser requests | Patched: Inspector 0.14.1 | +| [CVE-2025-53109](https://nvd.nist.gov/vuln/detail/CVE-2025-53109) / [CVE-2025-53110](https://nvd.nist.gov/vuln/detail/CVE-2025-53110) | **7.3–8.4** | CWE-22 | EscapeRoute: path prefix matching bypass + symlink escape → sandbox file read/write | **Full** | MCP gateway intercepts `resources/read` and `tools/call`; credential rules detect sensitive file access | Patched: npm 2025.7.1 | +| [CVE-2025-68143](https://nvd.nist.gov/vuln/detail/CVE-2025-68143) / [68144](https://nvd.nist.gov/vuln/detail/CVE-2025-68144) / [68145](https://nvd.nist.gov/vuln/detail/CVE-2025-68145) | High | CWE-77, CWE-22 | Chained: `git_init` arbitrary path + `git_diff` argument injection → write malicious `.git/hooks` → RCE | **Full** | `protect-git-hooks` locked rule blocks `.git/hooks/` writes; shell AST detects argument injection | Patched: 2025.12.18 | +| [CVE-2026-23744](https://nvd.nist.gov/vuln/detail/CVE-2026-23744) | **9.8** | CWE-306, CWE-78 | MCPJam Inspector binds 0.0.0.0 without auth → crafted HTTP request installs malicious MCP server → RCE | **Full** | MCP gateway intercepts all tool calls from installed servers; self-protection blocks management API abuse | Patched: v1.4.3 | + +### OpenClaw + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2026-25253](https://nvd.nist.gov/vuln/detail/CVE-2026-25253) | **8.8** | CWE-918 | Malicious link → browser WebSocket hijack → steal auth token → disable sandbox → RCE | **Full** | MCP HTTP Gateway origin validation blocks cross-origin WebSocket upgrades; DLP catches token exfiltration | Patched | + +### OpenAI Codex CLI + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2025-61260](https://nvd.nist.gov/vuln/detail/CVE-2025-61260) | **9.8** | CWE-77 | `.env` redirects CODEX_HOME → auto-loads malicious MCP config.toml without approval | **Full** | `protect-agent-config` blocks `.codex/config.toml` writes; `protect-env-files` blocks `.env` writes | Patched | + +### OpenClaw / OpenCode + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2026-30741](https://nvd.nist.gov/vuln/detail/CVE-2026-30741) | **9.8** | CWE-77 | Request-side prompt injection → terminal commands via MCP tools | **Full** | MCP gateway + shell AST parser intercepts tool calls | Patched | +| [CVE-2026-22812](https://nvd.nist.gov/vuln/detail/CVE-2026-22812) | **8.8** | CWE-284 | Unauthenticated HTTP server with permissive CORS → any website triggers command execution via localhost | **Full** | Self-protection blocks localhost management API; MCP gateway intercepts tool calls | Patched | + +### Roo Code + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2025-53536](https://nvd.nist.gov/vuln/detail/CVE-2025-53536) | **8.1** | CWE-77 | With "Write" auto-approved, prompt injection writes VS Code settings and `.roo/` config | **Full** | `protect-vscode-settings` + `protect-agent-config` blocks `.roo/` config writes | Patched | + +## Archived on 2026-03-30 + +### Cursor + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2025-54135](https://nvd.nist.gov/vuln/detail/CVE-2025-54135) | **9.8** | CWE-77 | CurXecute: prompt injection → write `.cursor/mcp.json` → MCP Auto-Run executes malicious commands without confirmation | **Full** | `protect-agent-config` locked rule + MCP gateway | Patched: Cursor 1.3 (2025.08) | +| [CVE-2025-54136](https://nvd.nist.gov/vuln/detail/CVE-2025-54136) | **8.8** | CWE-77 | MCPoison: once MCP server approved, config changes trusted by name → silent malicious command injection | **Full** | `protect-agent-config` blocks `.cursor/mcp.json` writes | Patched | +| [CVE-2025-61590](https://nvd.nist.gov/vuln/detail/CVE-2025-61590) | **7.5** | CWE-77 | RCE through `.code-workspace` file manipulation via compromised MCP server | **Full** | `protect-vscode-settings` blocks `*.code-workspace` writes | Patched | +| [CVE-2025-61592](https://nvd.nist.gov/vuln/detail/CVE-2025-61592) | **8.8** | CWE-77 | Auto-loading `.cursor/cli.json` from working directory → arbitrary config injection | **Full** | `protect-agent-config` blocks `.cursor/cli.json` writes | Patched | +| [CVE-2025-61593](https://nvd.nist.gov/vuln/detail/CVE-2025-61593) | **8.8** | CWE-77 | Cursor CLI Agent file modification bypasses sensitive file protection | **Full** | Credential and system file rules block sensitive file modifications | Patched | +| [CVE-2025-59944](https://nvd.nist.gov/vuln/detail/CVE-2025-59944) | **8.0** | CWE-178 | Case-insensitive path bypass: agent writes `.Cursor/mcp.json` or `.CURSOR/mcp.json` to evade case-sensitive config protection | **Full** | `pathutil` filesystem-based case sensitivity detection + `protect-agent-config` locked rule | Patched | + +### GitHub Copilot + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2025-6514](https://nvd.nist.gov/vuln/detail/CVE-2025-6514) | **9.6** | CWE-77 | Connect to malicious MCP server → OAuth `authorization_endpoint` injection → command execution | **Full** | Step 5–6 (shell AST parser detects injected commands in URLs) | Patched | +| [CVE-2026-21516](https://nvd.nist.gov/vuln/detail/CVE-2026-21516) | **8.8** | CWE-77 | Command injection via Copilot Chat language switching → JetBrains terminal command execution → RCE | **Full** | Step 5–6 (shell AST parser) + DLP | Patched: Feb 2026 | +| [CVE-2025-64660](https://nvd.nist.gov/vuln/detail/CVE-2025-64660) | **8.0** | CWE-94 | Prompt injection writes `.vscode/launch.json` or `tasks.json` to specify malicious executables or shell tasks → RCE on debug/build | **Full** | `protect-vscode-settings` blocks `launch.json` and `tasks.json` writes | Patched | +| RoguePilot | High | CWE-94 | Prompt injection via GitHub Issue → Copilot token leak in Codespaces → GitHub repo takeover | **Full** | DLP detects GitHub token exfiltration; shell AST detects exfiltration commands | Patched: Feb 2026 | + +### Claude Code + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2025-52882](https://nvd.nist.gov/vuln/detail/CVE-2025-52882) | **8.8** | CWE-918 | Malicious webpage scans localhost ports → WebSocket hijack → execute MCP commands | **Full** | MCP gateway intercepts tool calls + self-protection blocks management API access | Patched | +| [CVE-2025-59536](https://nvd.nist.gov/vuln/detail/CVE-2025-59536) | **8.7** | CWE-77 | Malicious `.claude/settings.json` injects Hooks → SessionStart auto-executes shell commands | **Full** | `protect-agent-config` locked rule blocks `.claude/settings*.json` writes; shell AST detects injected commands | Patched | +| [CVE-2025-54795](https://nvd.nist.gov/vuln/detail/CVE-2025-54795) | **8.7** | CWE-77 | InversePrompt: malformed echo command bypasses approval prompt → arbitrary command execution | **Full** | Shell AST parser (Steps 5-6) detects injected commands regardless of approval state | Patched | +| [CVE-2026-25725](https://nvd.nist.gov/vuln/detail/CVE-2026-25725) | **7.7** | CWE-269 | Sandbox escape: missing `settings.json` at startup allows persistent hook injection with host privileges | **Full** | `protect-agent-config` blocks `.claude/settings*.json` writes regardless of file pre-existence | Patched | + +### Cursor (additional) + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2026-22708](https://nvd.nist.gov/vuln/detail/CVE-2026-22708) | **8.6** | CWE-77 | Shell builtins (`export`, `typeset`) poison env vars (PERL5OPT, PYTHONWARNINGS) to hijack allowlisted commands | **Full** | `envDB` engine check (54 vars, 4 OSes): catches export, inline, env wrapper, sh -c recursive, PS $env:/Set-Item/New-Item + backtick escape | Patched | + +### MCP Ecosystem + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2025-49596](https://nvd.nist.gov/vuln/detail/CVE-2025-49596) | **9.4** | CWE-352 | Browser CSRF → unauthenticated RCE via MCP Inspector | **Full** | MCP HTTP Gateway origin validation blocks cross-origin browser requests | Patched: Inspector 0.14.1 | +| [CVE-2025-53109](https://nvd.nist.gov/vuln/detail/CVE-2025-53109) / [CVE-2025-53110](https://nvd.nist.gov/vuln/detail/CVE-2025-53110) | **7.3–8.4** | CWE-22 | EscapeRoute: path prefix matching bypass + symlink escape → sandbox file read/write | **Full** | MCP gateway intercepts `resources/read` and `tools/call`; credential rules detect sensitive file access | Patched: npm 2025.7.1 | +| [CVE-2025-68143](https://nvd.nist.gov/vuln/detail/CVE-2025-68143) / [68144](https://nvd.nist.gov/vuln/detail/CVE-2025-68144) / [68145](https://nvd.nist.gov/vuln/detail/CVE-2025-68145) | High | CWE-77, CWE-22 | Chained: `git_init` arbitrary path + `git_diff` argument injection → write malicious `.git/hooks` → RCE | **Full** | `protect-git-hooks` locked rule blocks `.git/hooks/` writes; shell AST detects argument injection | Patched: 2025.12.18 | +| [CVE-2026-23744](https://nvd.nist.gov/vuln/detail/CVE-2026-23744) | **9.8** | CWE-306, CWE-78 | MCPJam Inspector binds 0.0.0.0 without auth → crafted HTTP request installs malicious MCP server → RCE | **Full** | MCP gateway intercepts all tool calls from installed servers; self-protection blocks management API abuse | Patched: v1.4.3 | + +### OpenClaw + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2026-25253](https://nvd.nist.gov/vuln/detail/CVE-2026-25253) | **8.8** | CWE-918 | Malicious link → browser WebSocket hijack → steal auth token → disable sandbox → RCE | **Full** | MCP HTTP Gateway origin validation blocks cross-origin WebSocket upgrades; DLP catches token exfiltration | Patched | + +### OpenAI Codex CLI + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2025-61260](https://nvd.nist.gov/vuln/detail/CVE-2025-61260) | **9.8** | CWE-77 | `.env` redirects CODEX_HOME → auto-loads malicious MCP config.toml without approval | **Full** | `protect-agent-config` blocks `.codex/config.toml` writes; `protect-env-files` blocks `.env` writes | Patched | + +### OpenClaw / OpenCode + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2026-30741](https://nvd.nist.gov/vuln/detail/CVE-2026-30741) | **9.8** | CWE-77 | Request-side prompt injection → terminal commands via MCP tools | **Full** | MCP gateway + shell AST parser intercepts tool calls | Patched | +| [CVE-2026-22812](https://nvd.nist.gov/vuln/detail/CVE-2026-22812) | **8.8** | CWE-284 | Unauthenticated HTTP server with permissive CORS → any website triggers command execution via localhost | **Full** | Self-protection blocks localhost management API; MCP gateway intercepts tool calls | Patched | + +### Roo Code + +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | +|-----|------|-----|---------------|---------------|---------------|---------------| +| [CVE-2025-53536](https://nvd.nist.gov/vuln/detail/CVE-2025-53536) | **8.1** | CWE-77 | With "Write" auto-approved, prompt injection writes VS Code settings and `.roo/` config | **Full** | `protect-vscode-settings` + `protect-agent-config` blocks `.roo/` config writes | Patched | diff --git a/docs/cve-tracker.md b/docs/cve-tracker.md index b43e185e..e82ddf78 100644 --- a/docs/cve-tracker.md +++ b/docs/cve-tracker.md @@ -2,16 +2,16 @@ Crust tracks vulnerabilities in AI coding agents and related tools to validate and improve its defense coverage. This document serves as a living reference for known vulnerabilities and Crust's ability to mitigate them. -**Last updated:** 2026-03-25 +**Last updated:** 2026-03-30 ## Coverage Summary | Status | Count | % | |--------|------:|----:| -| Full defense | 41 | 80.4% | -| Partial defense | 2 | 3.9% | -| Not defensible | 8 | 15.7% | -| **Total** | **51** | | +| Full defense | 71 | 84.5% | +| Partial defense | 1 | 1.2% | +| Not defensible | 12 | 14.3% | +| **Total** | **84** | | Only high-risk resolved CVEs (CVSS >= 8.0) are listed individually below. Lower-severity resolved CVEs are counted in the summary but omitted for brevity. Fully resolved entries are periodically moved to the [archive](cve-tracker-archive.md). @@ -21,73 +21,68 @@ Only high-risk resolved CVEs (CVSS >= 8.0) are listed individually below. Lower- ### Cursor -| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | -|-----|------|-----|---------------|---------------|---------------|---------------| -| [CVE-2025-54135](https://nvd.nist.gov/vuln/detail/CVE-2025-54135) | **9.8** | CWE-77 | CurXecute: prompt injection → write `.cursor/mcp.json` → MCP Auto-Run executes malicious commands without confirmation | **Full** | `protect-agent-config` locked rule + MCP gateway | Patched: Cursor 1.3 (2025.08) | -| [CVE-2025-54136](https://nvd.nist.gov/vuln/detail/CVE-2025-54136) | **8.8** | CWE-77 | MCPoison: once MCP server approved, config changes trusted by name → silent malicious command injection | **Full** | `protect-agent-config` blocks `.cursor/mcp.json` writes | Patched | -| [CVE-2025-61590](https://nvd.nist.gov/vuln/detail/CVE-2025-61590) | **7.5** | CWE-77 | RCE through `.code-workspace` file manipulation via compromised MCP server | **Full** | `protect-vscode-settings` blocks `*.code-workspace` writes | Patched | -| [CVE-2025-61592](https://nvd.nist.gov/vuln/detail/CVE-2025-61592) | **8.8** | CWE-77 | Auto-loading `.cursor/cli.json` from working directory → arbitrary config injection | **Full** | `protect-agent-config` blocks `.cursor/cli.json` writes | Patched | -| [CVE-2025-61593](https://nvd.nist.gov/vuln/detail/CVE-2025-61593) | **8.8** | CWE-77 | Cursor CLI Agent file modification bypasses sensitive file protection | **Full** | Credential and system file rules block sensitive file modifications | Patched | -| [CVE-2025-64106](https://nvd.nist.gov/vuln/detail/CVE-2025-64106) | **8.8** | CWE-20 | MCP deep-link installation flow bypasses approval → arbitrary command execution | **None** | IDE-internal deep-link handling, outside Crust's interception scope | Patched | -| [CVE-2025-59944](https://nvd.nist.gov/vuln/detail/CVE-2025-59944) | **8.0** | CWE-178 | Case-insensitive path bypass: agent writes `.Cursor/mcp.json` or `.CURSOR/mcp.json` to evade case-sensitive config protection | **Full** | `pathutil` filesystem-based case sensitivity detection + `protect-agent-config` locked rule | Patched | - -### GitHub Copilot - -| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | -|-----|------|-----|---------------|---------------|---------------|---------------| -| [CVE-2025-6514](https://nvd.nist.gov/vuln/detail/CVE-2025-6514) | **9.6** | CWE-77 | Connect to malicious MCP server → OAuth `authorization_endpoint` injection → command execution | **Full** | Step 5–6 (shell AST parser detects injected commands in URLs) | Patched | -| [CVE-2026-21516](https://nvd.nist.gov/vuln/detail/CVE-2026-21516) | **8.8** | CWE-77 | Command injection via Copilot Chat language switching → JetBrains terminal command execution → RCE | **Full** | Step 5–6 (shell AST parser) + DLP | Patched: Feb 2026 | -| [CVE-2025-64660](https://nvd.nist.gov/vuln/detail/CVE-2025-64660) | **8.0** | CWE-94 | Prompt injection writes `.vscode/launch.json` or `tasks.json` to specify malicious executables or shell tasks → RCE on debug/build | **Full** | `protect-vscode-settings` blocks `launch.json` and `tasks.json` writes | Patched | -| RoguePilot | High | CWE-94 | Prompt injection via GitHub Issue → Copilot token leak in Codespaces → GitHub repo takeover | **Full** | DLP detects GitHub token exfiltration; shell AST detects exfiltration commands | Patched: Feb 2026 | +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | +|-----|------|-----|---------------|---------------|---------------| +| [CVE-2025-64107](https://github.com/cursor/cursor/security/advisories/GHSA-2jr2-8wf5-v6pf) | **8.8** | N/A | Sensitive File Protection Bypass — Path Manipulation Using Backslashes on Windows | **Full** | `pathutil` normalizes backslashes + credential rules | +| [CVE-2025-64108](https://github.com/cursor/cursor/security/advisories/GHSA-6r98-6qcw-rxrw) | **8.8** | N/A | Sensitive File Modification — NTFS Path Quirks | **Full** | `pathutil` NTFS path normalization + credential rules | +| [GHSA-wj33-264c-j9cq](https://github.com/cursor/cursor/security/advisories/GHSA-wj33-264c-j9cq) | **8.8** | CWE-78 | RCE in Cursor CLI via Cursor Agent MCP OAuth2 Communication | **Full** | Shell AST parser detects injected commands in OAuth flow | +| [GHSA-v64q-396f-7m79](https://github.com/cursor/cursor/security/advisories/GHSA-v64q-396f-7m79) | **8.8** | CWE-829 | Arbitrary code execution — Permissive CLI Config in Cursor CLI | **Full** | `protect-agent-config` blocks CLI config writes | +| [CVE-2025-64109](https://github.com/cursor/cursor/security/advisories/GHSA-4hwr-97q3-37w2) | **8.8** | CWE-78 | Command Injection via Untrusted MCP Configuration in Cursor CLI Beta | **Full** | MCP gateway intercepts tool calls; shell AST parser | +| [GHSA-4cxx-hrm3-49rm](https://github.com/cursor/cursor/security/advisories/GHSA-4cxx-hrm3-49rm) | **8.6** | CWE-78, CWE-829 | Arbitrary code execution via prompt injection via MCP Special Files | **Full** | MCP gateway + `protect-agent-config` | +| [CVE-2026-26268](https://github.com/cursor/cursor/security/advisories/GHSA-8pcm-8jpx-hv8r) | **8.1** | N/A | Sandbox escape via Git hooks | **Full** | `protect-git-hooks` blocks `.git/hooks/` writes | +| [GHSA-xcwh-rrwj-gxc7](https://github.com/cursor/cursor/security/advisories/GHSA-xcwh-rrwj-gxc7) | **8.1** | CWE-178 | Cursor IDE — Sensitive File Overwrite Bypass | **Full** | `pathutil` case sensitivity detection + credential rules | +| [CVE-2025-32018](https://github.com/cursor/cursor/security/advisories/GHSA-qjh8-mh96-fc86) | **8.1** | CWE-20 | Arbitrary file write via prompt injection from malicious @Docs | **Full** | Credential/system file rules block sensitive writes | +| [CVE-2025-64110](https://github.com/cursor/cursor/security/advisories/GHSA-vhc2-fjv4-wqch) | **8.0** | N/A | Cursorignore Bypass via New Cursorignore Write | **Full** | `protect-agent-config` blocks config file writes | +| [CVE-2026-31854](https://github.com/cursor/cursor/security/advisories/GHSA-hf2x-r83r-qw5q) | **8.0** | CWE-78 | Arbitrary Code Execution via Prompt Injection and Whitelist Bypass | **Full** | Shell AST parser + credential rules | +| [GHSA-82wg-qcm4-fp2w](https://github.com/cursor/cursor/security/advisories/GHSA-82wg-qcm4-fp2w) | **8.0** | CWE-78 | Terminal Tool Allowlist Bypass via Environment Variables | **Full** | `envDB` engine detects env var poisoning | +| [CVE-2024-48919](https://github.com/cursor/cursor/security/advisories/GHSA-rmj9-23rg-gr67) | **8.0** | CWE-20 | RCE via Prompt Injection Into Cursor's Terminal Cmd-K | **Full** | Shell AST parser detects injected commands | +| [GHSA-xg6w-rmh5-r77r](https://github.com/cursor/cursor/security/advisories/GHSA-xg6w-rmh5-r77r) | **7.5** | N/A | RCE via .code-workspace files using Prompt Injection | **Full** | `protect-vscode-settings` blocks `.code-workspace` writes | +| [CVE-2025-54130](https://github.com/cursor/cursor/security/advisories/GHSA-vqv7-vq92-x87f) | **7.5** | N/A | Arbitrary code execution via prompt injection via Editor Special Files | **Full** | `protect-agent-config` + shell AST parser | +| [GHSA-24mc-g4xr-4395](https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395) | **7.2** | CWE-78, CWE-494 | Modification of MCP Server Definitions Bypasses Manual Re-approval | **Full** | `protect-agent-config` blocks MCP config writes | +| [GHSA-x2vq-h6v6-jhc6](https://github.com/cursor/cursor/security/advisories/GHSA-x2vq-h6v6-jhc6) | **7.1** | CWE-178 | Cursor CLI Agent — Sensitive File Overwrite Bypass | **Full** | `pathutil` case sensitivity + credential rules | ### Claude Code -| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | -|-----|------|-----|---------------|---------------|---------------|---------------| -| [CVE-2025-52882](https://nvd.nist.gov/vuln/detail/CVE-2025-52882) | **8.8** | CWE-918 | Malicious webpage scans localhost ports → WebSocket hijack → execute MCP commands | **Full** | MCP gateway intercepts tool calls + self-protection blocks management API access | Patched | -| [CVE-2025-59536](https://nvd.nist.gov/vuln/detail/CVE-2025-59536) | **8.7** | CWE-77 | Malicious `.claude/settings.json` injects Hooks → SessionStart auto-executes shell commands | **Full** | `protect-agent-config` locked rule blocks `.claude/settings*.json` writes; shell AST detects injected commands | Patched | -| [CVE-2025-54795](https://nvd.nist.gov/vuln/detail/CVE-2025-54795) | **8.7** | CWE-77 | InversePrompt: malformed echo command bypasses approval prompt → arbitrary command execution | **Full** | Shell AST parser (Steps 5-6) detects injected commands regardless of approval state | Patched | -| [CVE-2026-25725](https://nvd.nist.gov/vuln/detail/CVE-2026-25725) | **7.7** | CWE-269 | Sandbox escape: missing `settings.json` at startup allows persistent hook injection with host privileges | **Full** | `protect-agent-config` blocks `.claude/settings*.json` writes regardless of file pre-existence | Patched | - -### Cursor (additional) - -| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | -|-----|------|-----|---------------|---------------|---------------|---------------| -| [CVE-2026-22708](https://nvd.nist.gov/vuln/detail/CVE-2026-22708) | **8.6** | CWE-77 | Shell builtins (`export`, `typeset`) poison env vars (PERL5OPT, PYTHONWARNINGS) to hijack allowlisted commands | **Full** | `envDB` engine check (54 vars, 4 OSes): catches export, inline, env wrapper, sh -c recursive, PS $env:/Set-Item/New-Item + backtick escape | Patched | +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | +|-----|------|-----|---------------|---------------|---------------| +| [CVE-2026-33068](https://github.com/anthropics/claude-code/security/advisories/GHSA-mmgp-wc2j-qcv7) | **8.0** | CWE-807 | Workspace Trust Dialog Bypass via Repo-Controlled Settings File | **Full** | `protect-agent-config` blocks settings file writes | +| [CVE-2026-25722](https://github.com/anthropics/claude-code/security/advisories/GHSA-66q4-vfjg-2qhh) | **8.0** | CWE-20, CWE-78 | Command Injection via Directory Change Bypasses Write Protection | **Full** | Shell AST parser detects injected commands | +| [CVE-2026-25723](https://github.com/anthropics/claude-code/security/advisories/GHSA-mhg7-666j-cqg4) | **8.0** | CWE-20, CWE-78 | Command Injection via Piped sed Command Bypasses File Write Restrictions | **Full** | Shell AST parser detects piped command chains | +| [GHSA-ff64-7w26-62rf](https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf) | **8.0** | CWE-501, CWE-668 | Sandbox Escape via Persistent Configuration Injection in settings.json | **Full** | `protect-agent-config` blocks `.claude/settings*.json` writes | +| [CVE-2026-24887](https://github.com/anthropics/claude-code/security/advisories/GHSA-qgqw-h4xq-7w8w) | **8.0** | CWE-78, CWE-94 | Command Injection in find Command Bypasses User Approval Prompt | **Full** | Shell AST parser detects injected commands in find args | +| [CVE-2026-24053](https://github.com/anthropics/claude-code/security/advisories/GHSA-q728-gf8j-w49r) | **8.0** | CWE-20, CWE-22, CWE-78 | Path Restriction Bypass via ZSH Clobber Allows Arbitrary File Writes | **Full** | Path normalization + credential/system file rules | +| [CVE-2026-24052](https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf) | **8.0** | CWE-20, CWE-601 | Domain Validation Bypass Allows Automatic Requests to Attacker-Controlled Domains | **Full** | DLP detects exfiltration; host blocking rules | +| [CVE-2025-66032](https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3) | **8.0** | CWE-77 | Command Validation Bypass Allows Arbitrary Code Execution | **Full** | Shell AST parser detects command injection | +| [CVE-2025-65099](https://github.com/anthropics/claude-code/security/advisories/GHSA-5hhx-v7f6-x7gv) | **8.0** | CWE-94 | Command execution prior to Claude Code startup trust dialog | **Full** | Crust intercepts all tool calls regardless of trust state | +| [CVE-2025-64755](https://github.com/anthropics/claude-code/security/advisories/GHSA-7mv8-j34q-vp7q) | **8.0** | CWE-78 | Sed Command Validation Bypass Allows Arbitrary File Writes | **Full** | Shell AST parser detects sed command injection | +| [GHSA-4fgq-fpq9-mr3g](https://github.com/anthropics/claude-code/security/advisories/GHSA-4fgq-fpq9-mr3g) | **8.0** | CWE-94 | Command execution prior to Claude Code startup trust dialog | **Full** | Crust intercepts all tool calls regardless of trust state | +| [CVE-2025-59041](https://github.com/anthropics/claude-code/security/advisories/GHSA-j4h9-wv2m-wrf7) | **8.0** | CWE-94 | Arbitrary code execution caused by maliciously configured git email | **Full** | Shell AST parser + `protect-agent-config` | +| [CVE-2025-58764](https://github.com/anthropics/claude-code/security/advisories/GHSA-qxfv-fcpc-w36x) | **8.0** | CWE-94 | Command Injection in rg command bypasses user approval prompt | **Full** | Shell AST parser detects injected commands in rg args | +| [GHSA-ph6w-f82w-28w6](https://github.com/anthropics/claude-code/security/advisories/GHSA-ph6w-f82w-28w6) | **8.0** | CWE-94 | Arbitrary Code Execution Due to Insufficient Startup Warning | **Full** | Crust intercepts all tool calls regardless of startup state | +| [CVE-2025-55284](https://github.com/anthropics/claude-code/security/advisories/GHSA-x5gv-jw7f-j6xj) | **8.0** | CWE-78 | Permissive Default Allowlist Enables File Read and Network Exfiltration | **Full** | DLP + credential rules + host blocking | +| [GHSA-x56v-x2h6-7j34](https://github.com/anthropics/claude-code/security/advisories/GHSA-x56v-x2h6-7j34) | **8.0** | CWE-78 | Command Injection in echo command bypasses user approval prompt | **Full** | Shell AST parser (same class as CVE-2025-54795) | +| [CVE-2025-54794](https://github.com/anthropics/claude-code/security/advisories/GHSA-pmw4-pwvc-3hx2) | **8.0** | CWE-22 | Path Restriction Bypass — unauthorized file access when path prefixes collide | **Full** | Path normalization resolves prefix collisions | +| [GHSA-9f65-56v6-gxw7](https://github.com/anthropics/claude-code/security/advisories/GHSA-9f65-56v6-gxw7) | **8.0** | N/A | IDE extensions allow websocket connections from arbitrary origins | **Full** | MCP HTTP Gateway origin validation | ### MCP Ecosystem -| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | -|-----|------|-----|---------------|---------------|---------------|---------------| -| [CVE-2025-49596](https://nvd.nist.gov/vuln/detail/CVE-2025-49596) | **9.4** | CWE-352 | Browser CSRF → unauthenticated RCE via MCP Inspector | **Full** | MCP HTTP Gateway origin validation blocks cross-origin browser requests | Patched: Inspector 0.14.1 | -| [CVE-2025-53109](https://nvd.nist.gov/vuln/detail/CVE-2025-53109) / [CVE-2025-53110](https://nvd.nist.gov/vuln/detail/CVE-2025-53110) | **7.3–8.4** | CWE-22 | EscapeRoute: path prefix matching bypass + symlink escape → sandbox file read/write | **Full** | MCP gateway intercepts `resources/read` and `tools/call`; credential rules detect sensitive file access | Patched: npm 2025.7.1 | -| [CVE-2025-68143](https://nvd.nist.gov/vuln/detail/CVE-2025-68143) / [68144](https://nvd.nist.gov/vuln/detail/CVE-2025-68144) / [68145](https://nvd.nist.gov/vuln/detail/CVE-2025-68145) | High | CWE-77, CWE-22 | Chained: `git_init` arbitrary path + `git_diff` argument injection → write malicious `.git/hooks` → RCE | **Full** | `protect-git-hooks` locked rule blocks `.git/hooks/` writes; shell AST detects argument injection | Patched: 2025.12.18 | -| [CVE-2026-23744](https://nvd.nist.gov/vuln/detail/CVE-2026-23744) | **9.8** | CWE-306, CWE-78 | MCPJam Inspector binds 0.0.0.0 without auth → crafted HTTP request installs malicious MCP server → RCE | **Full** | MCP gateway intercepts all tool calls from installed servers; self-protection blocks management API abuse | Patched: v1.4.3 | - -### OpenClaw - -| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | -|-----|------|-----|---------------|---------------|---------------|---------------| -| [CVE-2026-25253](https://nvd.nist.gov/vuln/detail/CVE-2026-25253) | **8.8** | CWE-918 | Malicious link → browser WebSocket hijack → steal auth token → disable sandbox → RCE | **Full** | MCP HTTP Gateway origin validation blocks cross-origin WebSocket upgrades; DLP catches token exfiltration | Patched | +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | +|-----|------|-----|---------------|---------------|---------------| +| [CVE-2026-33989](https://nvd.nist.gov/vuln/detail/CVE-2026-33989) | **8.1** | CWE-22, CWE-73 | Mobile Next MCP server path traversal | **Full** | MCP gateway intercepts tool calls; path normalization | +| [CVE-2026-33946](https://nvd.nist.gov/vuln/detail/CVE-2026-33946) | **8.2** | CWE-384, CWE-639 | MCP Ruby SDK session fixation / authorization bypass | **Full** | MCP gateway evaluates all tool calls regardless of session state | +| [CVE-2026-33980](https://nvd.nist.gov/vuln/detail/CVE-2026-33980) | **8.3** | CWE-943 | Azure Data Explorer MCP Server — KQL injection via tool calls | **Partial** | Crust sees tool call args but lacks KQL parser | +| [GHSA-hc55-p739-j48w](https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-hc55-p739-j48w) | **8.0** | N/A | Path validation bypass via colliding path prefix | **Full** | Path normalization resolves prefix collisions | +| [GHSA-q66q-fx2p-7w4m](https://github.com/modelcontextprotocol/servers/security/advisories/GHSA-q66q-fx2p-7w4m) | **8.0** | N/A | Path validation bypass via symlink handling | **Full** | Symlink resolution (Step 6) | +| [CVE-2025-66414](https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-w48q-cv73-mx4w) | **8.0** | CWE-1188 | DNS Rebinding Protection Disabled by Default (TS SDK) | **Full** | MCP HTTP Gateway origin validation | +| [CVE-2025-66416](https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-9h52-p55h-vw2f) | **8.0** | CWE-1188 | DNS Rebinding Protection Disabled by Default (Python SDK) | **Full** | MCP HTTP Gateway origin validation | ### OpenAI Codex CLI -| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | -|-----|------|-----|---------------|---------------|---------------|---------------| -| [CVE-2025-61260](https://nvd.nist.gov/vuln/detail/CVE-2025-61260) | **9.8** | CWE-77 | `.env` redirects CODEX_HOME → auto-loads malicious MCP config.toml without approval | **Full** | `protect-agent-config` blocks `.codex/config.toml` writes; `protect-env-files` blocks `.env` writes | Patched | +| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | +|-----|------|-----|---------------|---------------|---------------| +| [CVE-2025-59532](https://github.com/openai/codex/security/advisories/GHSA-w5fx-fh39-j5rw) | **8.0** | N/A | Sandbox bypass due to bug in path configuration logic | **Full** | Path normalization + credential rules | -### OpenClaw / OpenCode -| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | -|-----|------|-----|---------------|---------------|---------------|---------------| -| [CVE-2026-30741](https://nvd.nist.gov/vuln/detail/CVE-2026-30741) | **9.8** | CWE-77 | Request-side prompt injection → terminal commands via MCP tools | **Full** | MCP gateway + shell AST parser intercepts tool calls | Patched | -| [CVE-2026-22812](https://nvd.nist.gov/vuln/detail/CVE-2026-22812) | **8.8** | CWE-284 | Unauthenticated HTTP server with permissive CORS → any website triggers command execution via localhost | **Full** | Self-protection blocks localhost management API; MCP gateway intercepts tool calls | Patched | - -### Roo Code - -| CVE | CVSS | CWE | Attack Vector | Crust Defense | Defense Layer | Vendor Status | -|-----|------|-----|---------------|---------------|---------------|---------------| -| [CVE-2025-53536](https://nvd.nist.gov/vuln/detail/CVE-2025-53536) | **8.1** | CWE-77 | With "Write" auto-approved, prompt injection writes VS Code settings and `.roo/` config | **Full** | `protect-vscode-settings` + `protect-agent-config` blocks `.roo/` config writes | Patched | --- @@ -98,10 +93,15 @@ Issues where Crust currently cannot provide full defense: | CVE | CVSS | Product | Why Not Defensible | |-----|------|---------|--------------------| | [CVE-2025-64106](https://nvd.nist.gov/vuln/detail/CVE-2025-64106) | **8.8** | Cursor | IDE-internal deep-link MCP install flow — outside Crust's interception scope | +| [GHSA-4575-fh42-7848](https://github.com/cursor/cursor/security/advisories/GHSA-4575-fh42-7848) | **8.8** | Cursor | IDE-internal deep-link modal bypass — outside interception scope | | [CVE-2025-61591](https://nvd.nist.gov/vuln/detail/CVE-2025-61591) | **8.8** | Cursor | MCP OAuth impersonation — auth-layer attack, outside Crust's scope | -| [CVE-2025-68664](https://nvd.nist.gov/vuln/detail/CVE-2025-68664) | **9.3** | LangChain | In-process serialization injection — Crust intercepts at transport level, not in-process | -| [CVE-2026-21523](https://nvd.nist.gov/vuln/detail/CVE-2026-21523) | **8.0** | Copilot/VS Code | TOCTOU race condition in IDE file handling — no tool calls involved, not interceptable | | [CVE-2026-26118](https://nvd.nist.gov/vuln/detail/CVE-2026-26118) | **8.8** | Azure MCP Server | Server-side SSRF leaks managed identity token — SSRF executes inside MCP server process | +| [CVE-2026-21523](https://nvd.nist.gov/vuln/detail/CVE-2026-21523) | **8.0** | Copilot/VS Code | TOCTOU race condition in IDE file handling — no tool calls involved, not interceptable | +| [CVE-2025-59828](https://github.com/anthropics/claude-code/security/advisories/GHSA-2jjv-qf24-vfm4) | **8.0** | Claude Code | In-process plugin autoloading via Yarn — outside Crust's interception scope | +| [CVE-2026-0621](https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-cqwc-fm46-7fff) | **8.0** | MCP TS SDK | ReDoS — denial of service, outside scope | +| [CVE-2025-53366](https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-3qhf-m339-9g5v) | **8.0** | MCP Python SDK | FastMCP validation error DoS — outside scope | +| [CVE-2025-53365](https://github.com/modelcontextprotocol/python-sdk/security/advisories/GHSA-j975-95f5-7wqh) | **8.0** | MCP Python SDK | Streamable HTTP transport DoS — outside scope | +| [CVE-2026-25536](https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7) | **7.1** | MCP TS SDK | In-process SDK race condition — cross-client data leak, outside Crust scope | *Lower-severity CVEs (CVSS < 8.0): CVE-2026-21852 (full — config redirect scanner detects .env ANTHROPIC_BASE_URL overrides), CVE-2026-4270 (full — path traversal suffix stripping + DLP), CVE-2025-58335 (Junie info disclosure — not defensible, IDE-internal), CVE-2026-27576 (DoS — not defensible, outside scope).*