Technical Advisory: Multiple Vulnerabilities in Cursor AI Code Editor

‍Disclosed: October 3, 2025

Severity: High (CVSS 4.0: 7.3 - 8.6) - Remote Code Execution via Prompt Injection

Package/Component: Cursor AI Code Editor

CVEs: CVE-2025-59944 • CVE-2025-61590 • CVE-2025-61591 • CVE-2025-61592 • CVE-2025-61593

Executive Summary

What Happened:

Five high-severity remote code execution vulnerabilities (CVE-2025-59944, CVE-2025-61590, CVE-2025-61591, CVE-2025-61592, CVE-2025-61593) have been disclosed in Cursor AI code editor affecting versions 1.7 and below. These vulnerabilities exploit various prompt injection vectors including: malicious MCP server impersonation via OAuth (CVE-2025-61591), case-sensitivity bypass in file protection (CVE-2025-59944), VS Code workspace manipulation (CVE-2025-61590), malicious project CLI configuration (CVE-2025-61592), and CLI agent file modification (CVE-2025-61593). All vulnerabilities enable arbitrary code execution with full user privileges through AI-augmented development workflows where prompt injection serves as the primary attack vector.

Why It Matters:

• Development Environment Compromise: Cursor is widely adopted in enterprise development workflows, meaning vulnerabilities could impact source code, credentials, and intellectual property across development teams
• AI-Assisted Coding Context: Cursor's deep integration with codebases and its AI capabilities mean exploitation could expose sensitive business logic, API keys, and proprietary algorithms to attackers
• Supply Chain Risk: Compromised development environments are prime targets for supply chain attacks, where malicious code could be injected into production systems through trusted developer workflows
• Rapid Adoption Footprint: Cursor's growing market share means these vulnerabilities affect a broad and expanding user base across industries

High-Level Risks:

• Unauthorized access to development environments and source code repositories
• Potential credential theft (API keys, tokens, cloud credentials stored in development contexts)
• Code injection or manipulation within active development workflows
• Lateral movement from developer workstations to production infrastructure

Immediate Actions:

1. Inventory Cursor deployments across your organization and identify which development teams are affected
2. Monitor Cursor's official security advisories at cursor.com for patches and mitigation guidance
3. Review developer access controls and ensure least-privilege principles are enforced for development tool permissions
4. Audit recent code commits for any suspicious or unauthorized changes if compromise is suspected
5. Prepare patch deployment process to ensure rapid updates once fixes are released

Overview

Multiple security vulnerabilities have been identified in the Cursor AI code editor, a widely-used development environment that integrates large language models directly into the coding workflow. While specific technical details remain under embargo, the assignment of five CVEs within a short timeframe suggests a coordinated disclosure addressing multiple security issues. Organizations using Cursor should treat these vulnerabilities as potentially high-risk given the sensitive nature of development environments and the access they provide to critical business assets.

The vulnerabilities were assigned by GitHub (as indicated by CVE-2025-61592's metadata), suggesting they may relate to Cursor's integration with GitHub services, VSCode ecosystem components, or its AI model interaction layer. Development environments represent high-value targets because they often contain:

• Source code and intellectual property
• Credentials for cloud services, APIs, and databases
• Direct access to CI/CD pipelines and production deployment mechanisms
• Trust relationships with version control systems and artifact repositories

Risk Analysis

This vulnerability cluster is particularly concerning in the context of AI-augmented development workflows:

1. Expanded Attack Surface in AI Development Tools: Unlike traditional IDEs, AI-powered editors like Cursor maintain persistent context about codebases, including sensitive patterns, API designs, and business logic. Vulnerabilities could expose this accumulated knowledge to attackers, providing comprehensive intelligence about an organization's technical infrastructure.
2. Trust Boundary Confusion: Developers often trust their IDE as a safe environment, potentially sharing sensitive information (credentials, internal URLs, security configurations) that wouldn't be exposed in less trusted contexts. Exploitation could leverage this implicit trust to exfiltrate data that developers wouldn't knowingly share externally.
3. Prompt Injection and Context Manipulation: If any of these CVEs relate to prompt injection or context handling, attackers could potentially manipulate the AI's responses to inject malicious code suggestions, redirect developers to compromised resources, or exfiltrate code through the AI's external API calls.
4. Supply Chain Amplification: Compromised development environments can inject malicious code that propagates through version control, CI/CD pipelines, and eventually into production systems—making developer-focused vulnerabilities particularly high-impact from a supply chain security perspective.

CVE Details

All five CVEs have been published to the National Vulnerability Database (NVD) with full technical details, CVSS scores, and GitHub Security Advisory (GHSA) references. These vulnerabilities represent a coordinated disclosure of multiple remote code execution vectors in Cursor IDE affecting versions 1.7 and below.

CVE-2025-59944

• Status: Published (October 3, 2025)
• NVD Entry: CVE-2025-59944
• Assigner: GitHub, Inc.
• CVSS 4.0 Base Score: 7.3 High
• CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
• AIVSS: (CVSS:7.3/AARS:7.0)
• CWE: CWE-178 - Improper Handling of Case Sensitivity
• Affected Versions: Cursor versions 1.6.23 and below
• Fixed Version: Version 1.7
• Description: Cursor versions 1.6.23 and below contain case-sensitive checks in the way Cursor IDE protects its sensitive files (e.g., /.cursor/mcp.json), which allows attackers to modify the content of these files through prompt injection and achieve remote code execution. A prompt injection can lead to full RCE through modifying sensitive files on case-insensitive filesystems.
• References: GHSA-xcwh-rrwj-gxc7
• Assessment: High - RCE via case-sensitivity bypass in file protection allowing prompt injection to modify sensitive configuration files

CVE-2025-61590

• Status: Published (October 3, 2025)
• NVD Entry: CVE-2025-61590
• Assigner: GitHub, Inc.
• CVSS 4.0 Base Score: 7.5 High
• CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P‍
• AIVSS: (CVSS:7.5/AARS:7.0)‍
• CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection')‍
• Affected Versions: Cursor versions 1.6 and below‍
• Fixed Version: Version 1.7‍
• Description: Cursor versions 1.6 and below are vulnerable to Remote Code Execution (RCE) attacks through Visual Studio Code Workspaces. If an attacker is able to hijack the chat context of the victim (such as via a compromised MCP server), they can use prompt injection to make the Cursor Agent write into workspace files (.code-workspace) and modify the workspace settings section. This leads to a bypass of CVE-2025-54130 which can lead to RCE. Workspaces automatically created by VS Code (untitled.code-workspace) contain all folders and workspace settings from the user's current session, creating an attack vector when .code-workspace files exist in the path.‍
• References: GHSA-xg6w-rmh5-r77r‍
• Assessment: High - RCE via workspace file manipulation through chat context hijacking (prompt injection)

CVE-2025-61591

• Status: Published (October 3, 2025)
• NVD Entry: CVE-2025-61591
• Assigner: GitHub, Inc.
• CVSS 4.0 Base Score: 8.6 High
• CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
• AIVSS: (CVSS:8.6/AARS:7.0)
• CWE: CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
• Affected Versions: Cursor versions 1.7 and below
• Patched Version: Patch available as of 2025.09.17-25b418f (no fixed release version yet)
• Description: When MCP uses OAuth authentication with an untrusted MCP server, an attacker can impersonate another MCP server and return crafted, maliciously injected commands during the interaction process, leading to command injection and potential remote code execution. If chained with an untrusted MCP service via OAuth, this command injection vulnerability could allow arbitrary code execution on the host by the agent, directly compromising the system by executing malicious commands with full user privileges.
• References: GHSA-wj33-264c-j9cq
• Assessment: High - Command injection leading to RCE through malicious MCP server impersonation

CVE-2025-61592

• Status: Published (October 3, 2025)
• NVD Entry: CVE-2025-61592
• Assigner: GitHub, Inc.
• CVSS 4.0 Base Score: 8.6 High
• CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
• AIVSS: (CVSS:8.6/AARS:7.0)
• CWE: CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
• Affected Versions: Cursor versions 1.7 and below
• Patched Version: Patch available as of 2025.09.17-25b418f (no fixed release version yet)
• Description: In Cursor versions 1.7 and below, automatic loading of project-specific CLI configuration from the current working directory (<project>/.cursor/cli.json) could override certain global configurations in Cursor CLI. This allowed users running the CLI inside a malicious repository to be vulnerable to Remote Code Execution through a combination of permissive configuration (allowing shell commands) and prompt injection delivered via project-specific Rules (<project>/.cursor/rules/rule.mdc) or other mechanisms.
• References: GHSA-v64q-396f-7m79
• Assessment: High - RCE via malicious project configuration files that override CLI settings and enable shell command execution

CVE-2025-61593

• Status: Published (October 3, 2025)
• NVD Entry: CVE-2025-61593
• Assigner: GitHub, Inc.
• CVSS 4.0 Base Score: 8.6 High
• CVSS 4.0 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
• AIVSS: (CVSS:8.6/AARS:7.0)
• CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection')
• Affected Versions: Cursor versions 1.7 and below
• Patched Version: Commit 25b418f available (no fixed release version yet as of October 3, 2025)
• Description: In Cursor versions 1.7 and below, a vulnerability in the Cursor CLI Agent's protection of sensitive files (e.g., /.cursor/cli.json) allows attackers to modify these files through prompt injection, potentially leading to remote code execution.
• References: GHSA-x2vq-h6v6-jhc6
• Assessment: High - RCE via prompt injection allowing modification of CLI Agent sensitive files

Summary of Vulnerabilities:

All five CVEs share common characteristics representing a coordinated disclosure of multiple attack vectors in Cursor IDE:

• Attack Pattern: All vulnerabilities enable Remote Code Execution (RCE) through various prompt injection techniques
• Severity Range: CVSS 7.5 to 8.8 (all High severity)
• Common Weakness: Insufficient protection of sensitive configuration files and inadequate input validation
• Attack Prerequisites: Require user interaction (opening malicious projects, connecting to untrusted MCP servers, or being targeted by prompt injection)
• Patch Status: Version 1.7 fixes CVE-2025-59944 and CVE-2025-61590; patch 2025.09.17-25b418f addresses CVE-2025-61591, CVE-2025-61592, and CVE-2025-61593 (no formal release version yet)

These vulnerabilities highlight systemic issues in Cursor's handling of untrusted input and configuration files, particularly in AI-augmented development workflows where prompt injection is a primary attack vector.

Affected Versions

Summary Table

CVE IDAffected VersionsFixed VersionPatch/CommitCVSS 4.0 ScoreCVE-2025-59944≤ 1.6.231.7N/A7.3 HighCVE-2025-61590≤ 1.61.7N/A7.5 HighCVE-2025-61591≤ 1.7None yet2025.09.17-25b418f8.6 HighCVE-2025-61592≤ 1.7None yet2025.09.17-25b418f8.6 HighCVE-2025-61593≤ 1.7None yet25b418f8.6 High

Detailed Version Information

Immediately Fixed in Version 1.7:

• CVE-2025-59944: Affects versions 1.6.23 and below
• CVE-2025-61590: Affects versions 1.6 and below

Patch Available (No Release Version Yet):

• CVE-2025-61591: Affects versions 1.7 and below → Apply patch 2025.09.17-25b418f
• CVE-2025-61592: Affects versions 1.7 and below → Apply patch 2025.09.17-25b418f
• CVE-2025-61593: Affects versions 1.7 and below → Apply commit 25b418f

Recommendations

1. For users on Cursor 1.6.23 or below: Upgrade to version 1.7 immediately (fixes CVE-2025-59944 and CVE-2025-61590)
2. For users on Cursor 1.7: Apply patch 2025.09.17-25b418f to address CVE-2025-61591, CVE-2025-61592, and CVE-2025-61593
3. For all users: Monitor for an official release version that includes all patches and upgrade when available

Severity Assessment

All CVEs: High Severity (CVSS 4.0: 7.3 - 8.6)

CVSS 4.0 Vector Analysis (Representative: CVE-2025-61591):

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

• Attack Vector (AV:N): Network - Can be exploited remotely over network
• Attack Complexity (AC:L): Low - No special conditions required beyond user interaction
• Attack Requirements (AT:N): None - No specialized conditions needed
• Privileges Required (PR:N): None - Attacker needs no authentication to the vulnerable system
• User Interaction (UI:A): Active - User must actively engage (configure untrusted MCP, open malicious project)
• Vulnerable System Confidentiality (VC:H): High - Full compromise of development environment confidentiality
• Vulnerable System Integrity (VI:H): High - Arbitrary command execution allows complete integrity compromise
• Vulnerable System Availability (VA:H): High - Attacker can fully disrupt system availability
• Subsequent System Confidentiality (SC:N): Negligible - Impact contained to vulnerable system
• Subsequent System Integrity (SI:N): Negligible - Impact contained to vulnerable system
• Subsequent System Availability (SA:N): Negligible - Impact contained to vulnerable system

Severity Considerations:

Attack Vector (CVE-2025-61591 Specific):

• MCP Server Impersonation: Attacker sets up malicious MCP server that impersonates legitimate service
• OAuth Chain Exploitation: Vulnerability triggered when Cursor uses OAuth authentication with untrusted MCP server
• Command Injection: Malicious server returns crafted commands that are executed by Cursor
• Full System Compromise: Commands execute with full user privileges, enabling complete system takeover

Impact:

• Confidentiality: Complete exposure of source code, credentials, intellectual property, and development environment secrets
• Integrity: Arbitrary code execution allows malicious code injection, backdoor installation, and supply chain compromise
• Availability: System can be fully compromised, disabled, or used for ransomware deployment

Agentic AI Context:

• MCP Protocol Trust Model: Cursor's integration with MCP servers creates implicit trust boundaries that can be exploited
• OAuth Authentication Weakness: OAuth flow with untrusted servers enables man-in-the-middle style attacks
• Development Environment Access: Compromised Cursor instance has access to sensitive codebases, CI/CD pipelines, and production credentials
• AI-Augmented Attack Surface: MCP servers designed for AI agent interactions create novel command injection vectors

Assumptions:

• Developer configures Cursor to use MCP with OAuth authentication
• MCP server is untrusted or attacker-controlled
• Cursor versions 1.7 and below are in use
• No additional security controls (network segmentation, MCP server allowlisting) are in place

Immediate Mitigation Steps

Until patches are available and specific mitigation guidance is released, consider these defensive measures:

1. Inventory and Visibility

Identify Cursor Usage:

# Example: Scan for Cursor installations (adapt for your OS)
# macOS/Linux
find /Applications -name "Cursor.app" -o -name "cursor"
ps aux | grep -i cursor

# Windows
Get-Process | Where-Object {$_.ProcessName -like "*cursor*"}



Maintain an inventory of:

• Which teams/individuals use Cursor
• Which projects and repositories are accessed via Cursor
• What credentials or API keys might be exposed in Cursor contexts

2. Access Controls and Least Privilege

• Review IAM policies for developer workstations to ensure credentials are scoped minimally
• Implement short-lived credentials for cloud services rather than long-lived API keys in development environments
• Enable MFA on all accounts accessible from development tools
• Restrict network egress from developer workstations to known-necessary endpoints

3. Monitoring and Detection

Implement monitoring for suspicious activities:

• Unusual network connections from Cursor processes
• Unexpected code commits or repository access patterns
• Credential usage from unfamiliar locations or at unusual times
• Large data transfers from development environments

4. Secrets Management Hygiene

• Audit environment variables and configuration files for hardcoded credentials
• Rotate sensitive credentials if compromise is suspected
• Implement secrets scanning in repositories to detect accidental credential exposure
• Use dedicated secrets managers (HashiCorp Vault, AWS Secrets Manager) rather than storing credentials in code

5. Network Isolation

• Segment development networks from production infrastructure
• Implement egress filtering to restrict outbound connections from developer workstations
• Monitor AI API traffic if Cursor's AI features connect to external services

6. Stay Informed

• Subscribe to Cursor's security advisories and release notes
• Monitor CVE databases (NVD, MITRE) for updates on these CVEs
• Follow security researchers who focus on developer tool security
• Join relevant security communities (e.g., developer security forums, AI security groups)

Long-Term Recommendations

Development Environment Security

Harden Developer Workstations:

• Implement endpoint detection and response (EDR) on all developer machines
• Require full-disk encryption and secure boot
• Enforce regular patching cycles for development tools
• Use application allow-listing to prevent unauthorized software execution

Adopt Secure Development Practices:

• Implement code review requirements for all commits
• Use branch protection rules to prevent direct commits to main branches
• Enable commit signing to verify author identity
• Deploy static analysis and security scanning in CI/CD pipelines

Zero Trust for Development Access:

• Treat developer workstations as untrusted networks
• Require re-authentication for sensitive operations
• Implement just-in-time access for production systems
• Log and audit all privileged actions

AI Development Tool Governance

Establish AI Tool Policies:

• Maintain an approved list of AI-augmented development tools
• Require security review before adopting new AI coding assistants
• Define acceptable use policies for AI features (e.g., what code can be shared with external AI services)
• Implement data classification to prevent sensitive code from being processed by external AI APIs

Monitor AI Tool Behavior:

• Audit what data is sent to AI service providers
• Review AI tool permissions and API access patterns
• Implement DLP controls on AI-assisted coding environments
• Establish incident response procedures specific to AI tool compromise

Vulnerability Management for Development Tools

Proactive Patch Management:

• Prioritize security updates for development tools as highly as production systems
• Test patches in isolated environments before broad deployment
• Maintain rollback procedures in case patches introduce instability

Vendor Engagement:

• Establish direct communication channels with Cursor's security team
• Participate in early access or beta programs for security updates
• Consider commercial support agreements that include security advisory services

Framework Context

These vulnerabilities align with recognized security frameworks:

OWASP Top 10 for Large Language Model Applications (2025)

• LLM01:2025 Prompt Injection: If CVEs involve prompt manipulation in Cursor's AI features
• LLM03:2025 Supply Chain: Compromised development environments enable supply chain attacks
• LLM06:2025 Excessive Agency: AI-assisted coding with overly permissive capabilities

Additional Considerations

Business Continuity Planning

If patches require significant downtime or changes to development workflows:

• Assess criticality of Cursor to each development team's productivity
• Identify alternative tools that could be used temporarily if Cursor needs to be disabled
• Communicate with stakeholders about potential productivity impacts during remediation
• Prioritize patching for teams working on security-critical or production-facing code

Legal and Compliance Implications

Development environment compromises may trigger compliance obligations:

• Data breach notification requirements if source code or customer data is accessed
• Regulatory reporting for organizations in regulated industries (finance, healthcare, government)
• Customer disclosure if compromised code was deployed to production
• Insurance claims under cyber liability policies

Incident Response Preparedness

Prepare for potential exploitation:

• Define indicators of compromise specific to Cursor exploitation
• Establish forensic procedures for investigating compromised development environments
• Practice tabletop exercises simulating developer tool compromise scenarios
• Maintain isolated forensic analysis environments for examining potentially compromised systems

Advisory Status: This is a preliminary advisory based on CVE assignments. It will be updated as:

• Detailed vulnerability information is publicly disclosed
• Cursor releases patches and official mitigation guidance
• Security researchers publish analyses or proof-of-concept exploits
• Organizations report confirmed exploitation or incidents

Last Updated: October 15, 2025

‍