Another Day, Another Leak: CodeGPT and Prompt Injection

Previously, we explored why prompt injection is not going away in 2025, and why that matters. In another blog post, we showed how LLM extensions integrated into popular developer tools often repeat the same mistakes, exposing their users to serious vulnerabilities. In that case, we demonstrated how a widely used VS Code extension leaked data through markdown-driven image rendering, and how the developers patched the issue.
This time, we examined another popular AI coding agent for Visual Studio Code extension, CodeGPT. Unfortunately, we found it suffers from a very similar vulnerability. Unlike other extensions, CodeGPT does not expose a built-in tool to fetch web content. But the way it processes markdown is still dangerous, allowing attackers to exfiltrate sensitive data through external image requests. This is the core of the vulnerabilities we demonstrate below.
Vulnerability Overview
The issue lies in how CodeGPT renders markdown. Crafted prompts hidden inside files (for example, comments in a code repository) can instruct the LLM to generate malicious markdown with external image links. When the extension renders those images, sensitive information may be included in the URL. These requests are sent automatically, without any user interaction. This makes the attack effectively zero-click.
The tested vulnerable versions are:
- CodeGPT version 3.14.19 (released August 21, 2025)
- CodeGPT version 3.14.46 (released August 27, 2025)
At the time of writing, no fixes have been released (refer to the Responsible Disclosure section).
Responsible Disclosure
We reported this issue privately to the CodeGPT team on August 21, 2025, through both email and their Discord channel, directly contacting several server admins. Unfortunately, we did not receive any acknowledgment of our report. At the time of writing, the vulnerability remains unpatched.
This contrasts with how other vendors have handled similar cases. Other researchers reported related flaws in comparable extensions, and those reports were acknowledged and addressed promptly.
After our initial report to the vendor, a newer version was released (3.14.46 on August 27, 2025). To check if the issue had been silently fixed, we tested this version as well. We confirmed that it remained vulnerable.
Proof of Concept
We created two proof-of-concept demonstrations to show how this works:
- A malicious prompt is hidden inside a code file comment.
- The user asks CodeGPT to analyze the file.
- The LLM follows the attacker’s instructions and generates a markdown response containing a malicious image link, leveraging internal tools when needed.
- The extension renders the markdown.
- Sensitive data is embedded in the image URL and sent to an attacker-controlled server.
This happens automatically. No user interaction is needed once the malicious prompt is processed.
PoC #1
For our first example PoC, the following screenshots and video shows how a prompt injection embedded in a file exploit the AI agent and tricks it to send previous messages we sent in the chat context to the third-party server.


PoC #2
In this second example PoC, the following screenshots and video shows how adversaries can first pull sensitive information into the chat context using built-in tools (e.g., to read a file, such as the .env file) before leaking it to the third-party server.



Recommendations
For extension developers:
- Sanitize markdown responses before rendering.
- Strip or neutralize external image links.
- Add user confirmation before loading third-party content.
- Detect suspicious prompts and block automatic file reads (especially for sensitive files) or URL generation.
For CodeGPT users:
- Keep sensitive projects isolated from AI extensions until fixes are available.
- Be cautious when using CodeGPT to, for example, analyze untrusted files.
Conclusion
Our findings show once again how integrating LLMs into developer workflows can introduce critical risks if not handled with care. A single crafted prompt is enough to trigger silent data exfiltration through markdown rendering.
The lack of action from the vendor leaves users vulnerable to these attacks. Developers may unknowingly expose sensitive information every time they rely on the extension for routine tasks.
These are risks we did not face before. Traditional developer tools did not process untrusted prompts from powerful language models, nor did they render dynamic content generated on the fly. The rise of LLMs brings new attack surfaces, and those need new security practices.
Without stronger safeguards and more responsible responses from vendors, LLM-powered tools will continue to put users at unnecessary risk.
References
https://marketplace.visualstudio.com/items?itemName=DanielSanMedium.dscodegpt
https://versprite.com/blog/still-obedient-prompt-injection-in-llms-isnt-going-away-in-2025/
https://versprite.com/blog/data-exfiltration-via-image-rendering-fixed-in-continue/
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /
- /