CVE Details
Basic Information
| Title | Cursor Agent is vulnerable prompt injection via Editor Special Files |
|---|---|
| Type | cve |
| Published | 2025-08-05T00:12:28.632Z |
| Modified | 2025-08-05T00:12:28.632Z |
Product Information
| Vendor | cursor |
|---|---|
| Product | cursor |
| Version | < 1.3.9 |
CVSS Information
| Base Score | 7.5 (HIGH) |
|---|---|
| Attack Vector | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
AI Analysis
| AI Description | A vulnerability in Cursor allows unauthorized file writes, potentially leading to remote code execution (RCE) by exploiting prompt injection in editor special files. This issue is fixed in version 1.3.9. |
|---|---|
| AI Severity | Critical |
| AI Vendor | Cursor |
| AI Product | Cursor |
| AI Version | 1.3.9 |
Affected Products
- cursor cursor < 1.3.9
Additional Information
| CWE List | CWE-285 |
|---|---|
| Source | GitHub_M |
Description
Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions less than 1.3.9. If the file is a dotfile, editing it requires approval but creating a new one doesn’t. Hence, if sensitive editor files, such as the .vscode/settings.json file don’t already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9.