What security issues do Windsurf apps have?

Headline incident: 94+ Chromium CVEs Discovered in Windsurf

Security researchers have identified over 94 Chromium-based vulnerabilities in Windsurf IDE. While these affect the IDE itself, it's crucial to ensure the code you build with Windsurf doesn't inherit security issues.

Critical issues in Windsurf apps

• **Chromium CVE Exposure**: 94+ Chromium vulnerabilities discovered in Windsurf's underlying browser engine. *(Observed: Security audit revealed remote code execution vectors via Chromium flaws.)*
• **MCP Server Exploitation**: Malicious MCP servers can execute arbitrary code on your machine.
• **Workspace Trust Bypass**: Malicious repositories with hidden configuration can execute code on open.

High-severity issues

• **Cascade Code Suggestions**: AI-generated code may contain security vulnerabilities.

Medium/low-severity issues

• **Code Exfiltration Without ZDR**: Without Zero Data Retention, code is sent to Codeium servers.

Why these are the issues specific to Windsurf

Windsurf apps ship with a recognizable stack (supabase, firebase, postgres). The issue list above is what appears when you scan that specific combination. A Firebase-backed app would have a different top-5; a self-hosted Postgres deployment would have yet another. Context is everything.

What VAS checks in a Windsurf scan

• **Secret Detection** — Scans for API keys, tokens, and credentials that may have been hardcoded during development.
• **Code Security** — Analyzes code for common vulnerability patterns and insecure practices.
• **Database Security** — Tests database configuration for proper access controls and RLS policies.
• **Security Headers** — Verifies your deployed app has proper HTTP security headers.