"Tab, Tab, Bug'': Security Pitfalls of Next Edit Suggestions in AI-Integrated IDEs

TL;DR

This paper provides the first systematic security analysis of Next Edit Suggestions (NES) in AI-integrated IDEs, revealing how richer context and proactive editing expand attack surfaces beyond traditional autocompletion. By combining a mechanism-driven taxonomy (context poisoning, transactional edits, and human-IDE interaction) with white-box and black-box evaluations across enums of NES implementations and a broad online survey, the work shows alarmingly high rates of insecure suggestions in security-critical contexts (averaging around $74$–$78\%$) and a substantial gap between awareness and verification among developers. It demonstrates that improvements from commercial model upgrades do not adequately mitigate context-based risks, and UX features can both reduce or exacerbate vulnerabilities depending on design choices. The findings underscore an urgent need for defensive mechanisms, secure-by-design NES workflows, and user education to safely deploy NES in software development.

Abstract

Modern AI-integrated IDEs are shifting from passive code completion to proactive Next Edit Suggestions (NES). Unlike traditional autocompletion, NES is designed to construct a richer context from both recent user interactions and the broader codebase to suggest multi-line, cross-line, or even cross-file modifications. This evolution significantly streamlines the programming workflow into a tab-by-tab interaction and enhances developer productivity. Consequently, NES introduces a more complex context retrieval mechanism and sophisticated interaction patterns. However, existing studies focus almost exclusively on the security implications of standalone LLM-based code generation, ignoring the potential attack vectors posed by NES in modern AI-integrated IDEs. The underlying mechanisms of NES remain under-explored, and their security implications are not yet fully understood. In this paper, we conduct the first systematic security study of NES systems. First, we perform an in-depth dissection of the NES mechanisms to understand the newly introduced threat vectors. It is found that NES retrieves a significantly expanded context, including inputs from imperceptible user actions and global codebase retrieval, which increases the attack surfaces. Second, we conduct a comprehensive in-lab study to evaluate the security implications of NES. The evaluation results reveal that NES is susceptible to context poisoning and is sensitive to transactional edits and human-IDE interactions. Third, we perform a large-scale online survey involving over 200 professional developers to assess the perceptions of NES security risks in real-world development workflows. The survey results indicate a general lack of awareness regarding the potential security pitfalls associated with NES, highlighting the need for increased education and improved security countermeasures in AI-integrated IDEs.

Figures (6)

• Figure 1: High-level architecture of NES for human-computer interactive loop in AI-assisted IDEs. The NES pipeline consists of three key components: user action triggers, context assemblage and response parsing. Each component plays a crucial role in enabling the model to provide context-aware code edit suggestions based on developer interactions.
• Figure 2: An example of a structured NES prompt with key context elements highlighted.
• Figure 3: The workflow for context poisoning.
• Figure 4: The workflow for sequential edits.
• Figure 5: Developer perceptions of NES risks: (a) insecure suggestions and (b) test-to-production data leakage.