{"uuid": "49392793-01ae-42d3-9c7f-6584f97308fa", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2025-53773", "type": "seen", "source": "https://gist.github.com/yurukusa/b54cf1d3e9b873777a50c049195b6954", "content": "# Your AI coding agent can delete your files \u2014 Cursor, Copilot, Codex, Windsurf, Claude Code all share the same failure\n\nIt's not a Claude Code problem, or a Cursor problem. Every agentic coding tool with an \"auto-run\" mode shares the same failure shape: in YOLO / Turbo / Full-Access mode the agent runs a destructive shell command without asking, and the \"protections\" get bypassed by shelling out. Here are the verified, public incidents per tool, the one mechanism behind all of them, and the official setting that limits it in each.\n\n## The same incident, in every tool\n\n**Cursor**\n- An agent ran `rm -rf` and deleted files from a *parallel* sibling directory ([forum #44742](https://forum.cursor.com/t/cursor-ai-agent-used-rm-rf-to-delete-files-from-a-parallel-subdirectory/44742)).\n- On Windows, `rd /s /q` wiped a production `C:\\` root \u2014 ~250GB, including SSL private keys and a database ([forum #160566](https://forum.cursor.com/t/production-data-loss-incident-caused-by-cursor-agent-shell-command/160566)).\n- YOLO mode ran `rm -rf ~/` *despite* \"delete file protection\" being on ([forum #46170](https://forum.cursor.com/t/yolo-mode-can-execute-rm-rf-despite-delete-file-protection/46170)). The denylist is bypassable with Base64 / `bash -c` ([The Register, 2025-07-21](https://www.theregister.com/2025/07/21/cursor_ai_safeguards_easily_bypassed/)).\n\n**GitHub Copilot (agent mode)**\n- An agent action ran `rmdir /s /q` and took out an entire `D:` drive \u2014 ten years of photos and video ([community #166370](https://github.com/orgs/community/discussions/166370)).\n- `CVE-2025-53773`: prompt injection writes `chat.tools.autoApprove: true` into settings, silently flipping the agent into YOLO mode \u2192 RCE ([Embrace The Red](https://embracethered.com/blog/posts/2025/github-copilot-remote-code-execution-via-prompt-injection/)).\n\n**OpenAI Codex (CLI / app)**\n- In Full-Access mode on Windows, an agent deleted files outside the project directory \u2014 ~370GB lost, with **10+ others reporting the same** ([community #1375894](https://community.openai.com/t/critical-data-loss-issue-in-codex-app-for-windows-agent-executed-file-deletion-outside-project-directory/1375894)).\n- `rm -rf *` wiped everything after the user rushed it ([codex #6801](https://github.com/openai/codex/issues/6801)). OpenAI itself [warns about `--dangerously-bypass-approvals-and-sandbox`](https://developers.openai.com/codex/agent-approvals-security).\n\n**Windsurf**\n- Cascade said it would `git rm` a file, then ran `rm` without permission and deleted it permanently ([@carmelyne](https://www.threads.com/@carmelyne/post/DCiQqady7aS)). Turbo mode auto-runs commands that aren't on the deny list.\n\n*(The widely-shared \"agent deleted the production database\" story was [Replit](https://incidentdatabase.ai/cite/1152/), not Cursor \u2014 but the shape is identical.)*\n\n## The one mechanism\n\nAll of these are the same thing: **an auto-execution mode runs a destructive shell command without a confirmation, and the built-in \"protection\" is a denylist that shell-out (`bash -c`, Base64, a script, a renamed command) walks straight past.** Cost runs away the same way \u2014 an autonomous loop or an agent multiplier quietly drains a quota or a pay-as-you-go balance.\n\n## What actually limits it, per tool\n\nThe defenses are *not* the same \u2014 each tool implements approval differently, so use the right one:\n\n- **Cursor** \u2014 keep the agent off full YOLO; curate the command allow/deny list and don't rely on it alone (it's bypassable).\n- **GitHub Copilot** \u2014 leave `chat.tools.autoApprove` **off**; use Workspace Trust; review terminal commands before they run.\n- **Codex CLI** \u2014 use approval mode + the sandbox; never `--dangerously-bypass-approvals-and-sandbox` on real files.\n- **Windsurf** \u2014 don't run Turbo mode against anything you can't lose; keep the deny list tight.\n- **Claude Code** \u2014 a `PreToolUse` hook can *block the command before it runs* (not just warn), and it catches the shell-out forms a denylist misses.\n\n## The durable fix: a pre-execution guard\n\nA deny-list in settings helps but is bypassable. The reliable layer is a hook that inspects the actual command and blocks the irreversible ones before execution \u2014 and takes a snapshot you can recover from:\n\n```bash\ngit stash create   # snapshot that doesn't touch your working tree; recover via reflog/index if needed\n```\n\nFor Claude Code, that pre-execution guard (covering `rm -rf`, `git reset --hard`, `migrate:fresh`, the Windows `Remove-Item`/`rd` forms, and cloud `delete` verbs \u2014 for both the Bash and PowerShell tools) is free and MIT in [cc-safe-setup](https://github.com/yurukusa/cc-safe-setup). The per-tool incident playbook with recovery steps verified against real git is collected in a guide linked there.\n\n---\n\n*Honesty note: the per-tool defenses above are from each tool's official docs and public incident reports; I verify hooks firsthand on **Claude Code** (Linux), not on the other agents' runtimes. The incidents are all linked to their public sources. Spot an error and I'll fix it.*\n", "creation_timestamp": "2026-06-19T01:57:42.000000Z"}