Windsurf Prompt Injection via Filename
Category:Industry News / Research & Tools
Tenable disclosed a prompt-injection issue affecting Windsurf where malicious filenames can steer model-agent tools (e.g., read_url_content) into executing unintended actions unless user approval is enforced. Timeline shows coordination from July to October 2025 with planned disclosure. Proposed mitigation includes gating tool use with explicit user approval and improving context isolation so untrusted content (including filenames) is not treated as instruction. The case highlights the need to threat-model LLM agent tools and the blast radius of implicit automation in developer IDEs.
CORTEX Protocol Intelligence Assessment
{"Business Impact":"AI-enabled IDEs may exfiltrate data or execute unintended actions when tool invocation is unguarded.","Technical Context":"Filename-embedded prompt injection abuses agent tool calls; mitigations include consent gating and sandboxing."}
Strategic Intelligence Guidance
- Gate risky agent tools behind explicit user consent and policy.
- Apply content-origin isolation; treat filenames/inputs as untrusted.
- Log and review agent tool invocations; restrict network egress by default.
- Adopt secure-by-default prompts and deny-lists for agent tool chains.
Vendors
Threats
Targets
Intelligence Source: Windsurf Prompt Injection via Filename - Research Advisory | Oct 15, 2025