Windsurf Prompt Injection Vulnerability Leading to Remote Command Execution

A prompt injection vulnerability has been identified in Windsurf version 1.9544.26. This vulnerability allows remote attackers to execute arbitrary commands on a victim's system. The issue arises when Windsurf processes HTML content controlled by attackers, which can manipulate the local MCP configuration. This manipulation includes the unauthorized registration of a malicious MCP STDIO server, enabling the execution of commands without further user interaction. Exploitation of this vulnerability could result in commands being executed on behalf of the user, persistent malicious changes to the MCP configuration, and access to sensitive information through the application.

Impact

Successful exploitation allows for remote command execution on the affected system, with the executed commands running in the context of the user.

Reproduction

The vulnerability can be reproduced by sending a crafted HTML page to a victim using Windsurf 1.9544.26. When the victim opens the page, the injected commands are executed, and a reverse shell is spawned on the machine running Windsurf.