CVE 9.8 CRITICAL

CVE-2025-62354_CVE-2025-62354

November 26, 2025 invoker category_cve

9.8 / 10

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Description

Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, resulting in arbitrary code execution.

AI Analysis

Command injection vulnerability in Cursor allowing arbitrary code execution

Basic Information

ID CVE-2025-62354

Source HiddenLayer

Published Nov 26, 2025 at 15:40

Modified Nov 26, 2025 at 16:09

Affected Product

Vendor cursor

Product cursor

Version 1.3.4

Affected Versions cursor cursor 1.3.4

CWE Classification

CWE-78

AI Assessment

AI Score 9.8 / 10

AI Severity Critical

Vendor Cursor

Product Cursor

Version 1.3.4

References

hiddenlayer.com /sai_security_advisor/2025-11-cursor/

{
    "lastseen": "",
    "description": "Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, resulting in arbitrary code execution.",
    "published": "2025-11-26T15:40:24.871Z",
    "modified": "2025-11-26T16:09:10.217Z",
    "type": "cve",
    "title": "CVE-2025-62354",
    "source": "HiddenLayer",
    "references": "https://hiddenlayer.com/sai_security_advisor/2025-11-cursor/",
    "id": "CVE-2025-62354",
    "bulletinFamily": "",
    "cwe": [
        "CWE-78"
    ],
    "cvelist": null,
    "sourceData": "cursor cursor 1.3.4",
    "sourceHref": "",
    "cvss": {
        "score": 9.8,
        "severity": "CRITICAL",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cursor",
    "version": "1.3.4",
    "vendor": "cursor",
    "ai_description": "Command injection vulnerability in Cursor allowing arbitrary code execution",
    "ai_severity": "Critical",
    "ai_vendor": "Cursor",
    "ai_product": "Cursor",
    "ai_version": "1.3.4",
    "ai_score": 9.8
}

💭 Join the Security Discussion ❌ Cancel Reply