GOOGLE has fixed a critical prompt-injection flaw in its agentic integrated development environment Antigravity, which previously allowed sandbox escape and remote code execution after researchers demonstrated a proof-of-concept attack. The vulnerability centred on Antigravity’s tool-execution model, particularly the find_by_name tool’s Pattern parameter, where insufficient input sanitisation could inject command-line flags into the underlying fd utility and convert a file search into arbitrary code execution.
According to Pillar Security’s blog post, the attack chain could stage a malicious script and trigger it through a seemingly legitimate search, all without further user interaction once the initial prompt injection lands, bypassing Secure Mode’s restrictions. Pillar’s Dan Lisichkin noted that this means an attacker could achieve arbitrary code execution under the security settings a conscientious user would rely on to prevent it.
Google acknowledged the flaw and fixed it in February, after it was reported to them in January, with Pillar’s research team receiving a bug bounty for the find. The story highlights how prompt-injection flaws remain a risk across IDEs and AI-enabled tools, not solely AI-specific vulnerabilities.