CVE-2025-32018 in cursor
Summary
by MITRE • 04/08/2025
Cursor is a code editor built for programming with AI. In versions 0.45.0 through 0.48.6, the Cursor app introduced a regression affecting the set of file paths the Cursor Agent is permitted to modify automatically. Under specific conditions, the agent could be prompted, either directly by the user or via maliciously crafted context, to automatically write to files outside of the opened workspace. This behavior required deliberate prompting, making successful exploitation highly impractical in real-world scenarios. Furthermore, the edited file was still displayed in the UI as usual for user review, making it unlikely for the edit to go unnoticed by the user. This vulnerability is fixed in 0.48.7.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 04/08/2025
The vulnerability identified as CVE-2025-32018 affects Cursor, a code editor designed for AI-assisted programming, specifically within versions 0.45.0 through 0.48.6. This represents a regression in the application's security model that impacts the Cursor Agent's file modification permissions. The flaw manifests when the agent, which is designed to operate within defined workspace boundaries, can be induced to write to files outside of the intended project scope. This issue stems from insufficient path validation and access control mechanisms that govern how the agent processes user prompts and context information.
The technical implementation of this vulnerability involves a breakdown in the agent's sandboxing behavior that normally restricts file system operations to the currently opened workspace. When users provide prompts or when malicious context is injected, the agent may interpret these inputs as instructions to modify files beyond the designated boundaries. This regression effectively removes or weakens the access control boundaries that should normally prevent the agent from writing to arbitrary locations on the file system. The vulnerability operates through the agent's interpretation of user commands and context, where specific conditions must be met to trigger the unintended behavior.
From an operational perspective, the exploitability of this vulnerability requires deliberate user prompting or malicious context injection, making it highly impractical for automated or widespread exploitation in real-world scenarios. The security implications remain limited because the modified files continue to be displayed in the user interface for review, ensuring that any unauthorized modifications would be visible to the user. This visibility factor significantly reduces the risk of undetected malicious activity, as users would observe any changes made by the agent. The vulnerability's impact is further constrained by the requirement for specific user interaction or context manipulation to trigger the problematic behavior.
The fix implemented in version 0.48.7 addresses the core issue by restoring proper path validation and access control mechanisms within the Cursor Agent. This update ensures that file system modifications remain confined to the workspace boundaries and that any attempts to write outside the designated scope are properly rejected. The remediation aligns with security best practices for sandboxed applications and follows the principle of least privilege. This vulnerability demonstrates the importance of maintaining strict access controls in AI-assisted development environments where agents may have elevated privileges for code modification tasks. The fix represents a return to proper boundary enforcement that prevents the agent from executing unauthorized file system operations while maintaining the intended functionality of the application. This type of vulnerability falls under CWE-276, Access Control, and could potentially map to ATT&CK techniques involving privilege escalation or unauthorized information access through application vulnerabilities.