CVE Details
Basic Information
| Title | Cursor Agent is vulnerable to prompt injection via MCP Special Files |
|---|---|
| Type | cve |
| Published | 2025-08-05T00:11:07.363Z |
| Modified | 2025-08-05T00:11:07.363Z |
Product Information
| Vendor | cursor |
|---|---|
| Product | cursor |
| Version | < 1.3.9 |
CVSS Information
| Base Score | 8.6 (HIGH) |
|---|---|
| Attack Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
AI Analysis
| AI Description | Cursor allows unauthorized creation of certain files, potentially enabling remote code execution via prompt injection. Fixed in version 1.3.9. |
|---|---|
| AI Severity | Critical |
| AI Vendor | Cursor |
| AI Product | Cursor |
| AI Version | versions below 1.3.9 |
Affected Products
- cursor cursor < 1.3.9
Additional Information
| CWE List | CWE-78, CWE-829 |
|---|---|
| Source | GitHub_M |
Description
Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn’t. Hence, if sensitive MCP files, such as the .cursor/mcp.json file don’t already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9.