Windsurf — Security Profile
Product Overview
Windsurf (by Codeium) is an AI-powered IDE forked from VS Code, similar to Cursor. It integrates LLMs for code generation and agentic development workflows. Its vulnerability profile closely mirrors Cursor's due to the shared VS Code/Electron architecture.
| Component | Description | Attack Surface |
|---|---|---|
| Windsurf Editor | VS Code fork with Cascade AI agent | Config injection, prompt injection, workspace manipulation |
| Cascade Agent | AI agent for code generation and task execution | Prompt injection → tool abuse chains |
| Chromium/Electron Runtime | Bundled browser engine | 80-94+ inherited CVEs from outdated Chromium |
| Extensions | VS Code extension ecosystem | Shared extension vulnerabilities (Live Server, Code Runner, etc.) |
| MCP Integration | Model Context Protocol support | MCP config poisoning |
Key Vulnerabilities
Inherited Chromium CVEs
Windsurf shares the same outdated Chromium problem as Cursor. OX Security's research confirmed that both IDEs run Chromium builds with 94+ known CVEs, including actively exploited vulnerabilities in CISA's KEV catalog. See the Cursor profile for the full CVE list — the same vulnerabilities apply to Windsurf.
IDEsaster Vulnerabilities
The IDEsaster research (MaccariTA, 2025) found universal attack chains affecting Windsurf alongside Cursor, Copilot, and other AI IDEs. Prompt injection primitives combined with legitimate IDE features to achieve data exfiltration and RCE.
VS Code Extension Vulnerabilities
As a VS Code fork, Windsurf inherits the same extension vulnerabilities as Cursor:
| CVE | Extension | Description | Control |
|---|---|---|---|
| CVE-2025-65717 | Live Server (72M+ downloads) | Remote file exfiltration | Disable when not in use |
| CVE-2025-65716 | Markdown Preview Enhanced (8.5M+) | JS execution via crafted Markdown | Avoid previewing untrusted files |
| CVE-2025-65715 | Code Runner (37M+) | RCE via settings.json manipulation | Review settings changes carefully |
Vendor Response
OX Security noted that Windsurf did not respond to their responsible disclosure outreach regarding Chromium vulnerabilities (contacted October 2025). Windsurf does maintain SOC 2 Type II certification and offers FedRAMP High accreditation for enterprise deployments.
Hardening Recommendations
□ Keep Windsurf updated to latest version
□ Enable Workspace Trust if available
□ Disable automatic task execution
□ Run untrusted projects in containers/VMs
□ Remove unused extensions
□ Monitor for Chromium update releases from Windsurf
□ Consider standard VS Code for security-sensitive work
□ Audit .vscode/ and MCP config files in all cloned repositories
What to Test in Engagements
□ Chromium version fingerprinting — what build is bundled?
□ Workspace Trust status — is it enabled or disabled by default?
□ MCP config injection via shared repositories
□ Cascade agent file write scope — can it modify config files?
□ Extension vulnerability testing
□ Prompt injection via code context (comments, docs, README)
□ Deeplink handling — can external links trigger execution?
□ Task auto-execution on folder open