_NicoElNino_Alamy.png?disable=upscale&width=1200&height=630&fit=crop "Google Fixes Critical RCE Flaw in AI-Based Antigravity Tool")
Google has fixed a critical flaw in its agentic integrated developer environment (IDE) Antigravity that led to sandbox escape and remote code execution (RCE) after researchers created a proof of concept (PoC) prompt injection attack exploiting it.
Prompt injection issues are becoming a major thorn in the side of artificial intelligence (AI) tools, although, in this case, the vulnerability seems to be more of a common problem with IDEs in general rather than an AI-specific one. IDEs are a package of basic tools and capabilities that developers need to program, edit, and test software code; Antigravity is an agentic IDE that provides developers with native tools for filesystem operations.
Researchers at Pillar Security uncovered a critical flaw in Antigravity’s tool-execution model that allows attackers to escalate a seemingly benign prompt injection into full system compromise, according to a blog post published this week. The issue centers on how the IDE handles internal tool calls — specifically, a file-search capability that executes before security controls are enforced.
The flaw affects the find_by_name tool’s Pattern parameter, allowing attackers to exploit insufficient input sanitization and for injection of command-line flags into the underlying fd utility, according to the post. This basically converts a file search operation into arbitrary code execution.
‘Full Attack Chain’
Ultimately, combined with Antigravity’s ability to create files as a permitted action, the result is “a full attack chain: stage a malicious script, then trigger it through a seemingly legitimate search, all without additional user interaction once the prompt injection lands,” Pillar Security’s Dan Lisichkin wrote in the post. The vulnerability is dangerous because it bypasses Antigravity’s Secure Mode, the product’s most restrictive security configuration.
“Secure Mode is designed to restrict network access, prevent out-of-workspace writes, and ensure all command operations run strictly under a sandbox context,” Lisichkin wrote. “None of these controls prevent exploitation, because the find_by_name tool call fires before any of these restrictions are evaluated.”
That means that the agent treats the call as a native tool invocation, not a shell command, so it never reaches the security boundary that Secure Mode enforces, he said. “This means an attacker achieves arbitrary code execution under the exact configuration a security-conscious user would rely on to prevent it,” Lisichkin wrote.
Google had not responded to a Dark Reading request for comment as of this posting.
Prompt Injection Poses Danger
Prompt injection flaws are becoming some of the most common vulnerabilities found in agentic AI tools, whether they be IDEs or chatbots. Security researchers have found this issue in other AI tools as well, including ChatGPT’s Atlas browser and Google Gemini AI chatbot.
However, in this case, it seems the flaw may be more of an IDE issue than one that’s related to Gravity being an AI-based tool, says Fredrik Almroth, co-founder & security researcher at application security testing firm Detectify.
“This is an issue across IDEs, AI or not,” Almroth tells Dark Reading via an email exchange. “It’s almost inevitable: Any time you have a primitive that reads or writes files or executes commands, there is a risk of security breaches. Making a ‘fully secure’ sandbox environment is virtually impossible.”
Almroth cited AngularJS, a Java-based tool also developed by Google, as an example of a non-AI-based IDE with a similar issue. “[Google] introduced a sandbox in 2010 to prevent ‘client-side template injection attacks’ (XSS),” he says. “All versions of Angular v1 have had their sandbox bypassed. They never got it right, so in v2 it was completely removed.”
Other AI-based IDEs seem to suffer from similar issues, too, according to Pillar. Earlier research the firm disclosed about the prompt-injection flaw CVE-2026-22708 in the AI-assisted development environment Cursor demonstrates that the pattern repeats across agentic IDEs when tools designed for constrained operations become attack vectors if their inputs are not strictly validated, Lisichkin wrote.
“The trust model underpinning security assumptions, that a human will catch something suspicious, does not hold when autonomous agents follow instructions from external content,” he explained.
How to Fix a Recurring IDE Issue
The good news for AntiGravity is that Google acknowledged and fixed the prompt injection flaw identified by Pillar in February, not long after it was reported to them in January, according to Pillar. Pillar’s research team was awarded a bug bounty for the find, though the amount was not disclosed.
To solve the larger prompt-injection issue, however, the industry must move beyond sanitization-based controls toward execution isolation, Lisichkin suggested, since “every native tool parameter that reaches a shell command is a potential injection point.” That means that those developing AI agentic IDEs must make it mandatory to audit for this class of vulnerability to ship agentic features safely, he said.
While it’s possible to achieve secure sandboxing during development, “it’s incredibly hard to secure a development environment that absolutely must be able to read and write files while still invoking utilities,” Almroth says. Moreover, “having an LLM in the mix adds another layer of complexity to a challenge companies have been struggling with for years,” he says, which means those developing AI tools should be mindful of the issue before releasing new builds.
