AI coding assistants promise productivity gains, but researchers at Mindgard have uncovered a critical vulnerability chain in Cline, a popular VSCode extension, that turns convenience into a security liability.
What Happened?
During a brief audit, researchers discovered four severe vulnerabilities that allow attackers to:
- Exfiltrate API keys
- Execute arbitrary code
- Leak sensitive model information
All without user awareness.
The findings highlight a fundamental blind spot in LLM-based development tools: system prompts are not harmless configuration text—they are attack surfaces.
Exploitation Requires Just Opening a Repository
Cline, with 3.8 million installs and 52,000 GitHub stars, was vulnerable to prompt-injection attacks when analyzing source code.
The most critical flaw enables attackers to embed malicious instructions in Python docstrings or Markdown files. When a developer opens an infected repository and asks Cline to analyze it—a routine task—the agent executes attacker commands without user approval.
Three Exploitation Paths Identified
1. DNS-Based Data Exfiltration
Attackers embed instructions in docstrings that coerce Cline into:
- Reading environment variables (including API keys)
- Encoding them into DNS queries sent to attacker-controlled domains
Since ping commands are whitelisted as “safe”, Cline executes them without approval, leaking credentials via DNS logs.
2. Abuse of .clinerules Directory
By placing malicious Markdown in the .clinerules directory, attackers override the requires_approval flag, transforming dangerous operations—like downloading and executing remote payloads—into “approved” actions.
Result: Complete system compromise.
3. TOCTOU Race Condition Exploits
Attackers create delayed-execution scripts, assembling malicious payloads piece by piece.
The model cannot inspect the full execution chain, making the attack invisible during analysis.
Why This Is Critical
Because Cline is open source, attackers had access to both:
- System prompt specifications
- Implementation details
This enabled precise targeting of semantic loopholes and linguistic brittleness in safety guardrails.
Disclosure & Current Status
- Vulnerabilities disclosed by Mindgard in August 2025
- Public acknowledgment by Cline team only after October pressure
- As of version 3.35.0, issues appear partially mitigated, but researchers note lack of transparency on fixes
Security Lessons
This incident underscores the urgent need to:
- Treat system prompts as critical security surfaces
- Implement robust approval workflows for AI-driven actions
- Conduct regular security audits of AI development tools
Key Takeaways
- Cline’s vulnerabilities enable prompt injection, credential theft, and RCE
- Exploitation requires minimal user interaction
- AI coding assistants need security-first design principles
