Google fixes critical prompt injection flaw in “Antigravity”

A critical security vulnerability capable of enabling remote code execution has been discovered in Google’s agentic integrated development environment (IDE)  “Antigravity”. The flaw, which has since been patched, allowed attackers to bypass the platform’s security mechanisms through a prompt injection technique.

According to the information, the vulnerability resulted from the combination of Antigravity’s permitted file-creation capabilities and insufficient input sanitization in its native file-searching tool, “find_by_name”.  As a result, it became possible to bypass the program’s restrictive security configuration known as “Strict Mode”. This mode normally limits network access, prevents writing outside the workspace and ensures that all commands are executed within a sandbox environment.

The attack could be carried out by injecting a specific flag into the “Pattern” parameter used in the “find_by_name” tool. Through this method, the system’s underlying search mechanism, the “fd” command, could be manipulated for malicious purposes, allowing the execution of arbitrary binaries. In other words, a parameter originally intended only for file searches could directly influence command execution due to insufficient validation.

One of the more dangerous aspects of this vulnerability is that it could also be exploited through indirect prompt injection. In this scenario, a user obtains a seemingly harmless file from an untrusted source. Hidden instructions embedded within that file then direct the artificial intelligence (AI) agent to prepare a malicious file and trigger the exploit. As a result, system compromise can occur without the need for direct account compromise. This incident reflects the same threat trend observed in other recently identified vulnerabilities affecting AI-powered development tools.