CVE-2025-61592 in Cursor
Summary
by MITRE • 10/03/2025
Cursor is a code editor built for programming with AI. In versions 1.7 and below, automatic loading of project-specific CLI configuration from the current working directory (/.cursor/cli.json) could override certain global configurations in Cursor CLI. This allowed users running the CLI inside a malicious repository to be vulnerable to Remote Code Execution through a combination of permissive configuration (allowing shell commands) and prompt injection delivered via project-specific Rules (/.cursor/rules/rule.mdc) or other mechanisms. The fix for this issue is currently available as a patch 2025.09.17-25b418f. As of October 3, 2025 there is no release version.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 10/03/2025
The vulnerability identified as CVE-2025-61592 affects Cursor, a code editor designed for AI-assisted programming, specifically impacting versions 1.7 and earlier. This flaw stems from the application's automatic loading mechanism that processes project-specific configuration files from the current working directory, particularly the /.cursor/cli.json file. The security issue arises from the improper handling of local configuration overrides that can supersede global settings, creating a dangerous privilege escalation vector within the CLI environment.
The technical exploitation of this vulnerability involves a combination of configuration manipulation and prompt injection techniques. Attackers can place malicious configuration files within a repository's directory structure, specifically targeting the /.cursor/rules/rule.mdc file or similar project-specific rules. When Cursor loads these project-specific configurations, it processes shell commands enabled through permissive configuration settings, creating an execution environment where arbitrary code can be injected and executed. This represents a classic case of insecure configuration management combined with insufficient input validation and sanitization.
The operational impact of this vulnerability is severe, as it enables remote code execution through a simple repository interaction. An attacker merely needs to place malicious files within a project directory, and when an unsuspecting user runs the Cursor CLI within that repository, the malicious code executes with the privileges of the user running the application. This vulnerability aligns with CWE-276, which addresses improper privilege management, and represents a direct violation of the principle of least privilege in software security design.
The attack vector leverages the ATT&CK technique of privilege escalation through configuration files, where adversaries manipulate local configuration to achieve unauthorized code execution. The vulnerability demonstrates poor separation of concerns between global and project-specific configurations, allowing local files to override system-wide security policies. This issue also reflects weaknesses in input sanitization and command execution validation, as the system fails to properly validate or sanitize user-provided content from project-specific rule files.
Security mitigation requires immediate application of the patch version 2025.09.17-25b418f, which addresses the core configuration loading mechanism and implements stricter validation of project-specific files. Organizations should enforce configuration lockdown policies that prevent automatic loading of potentially malicious project configurations, particularly those that enable shell command execution. The fix should include mandatory validation of all project-specific configuration files, input sanitization for rule-based content, and implementation of secure default configurations that cannot be overridden by local settings. Additionally, users should be educated about the risks of running Cursor CLI within untrusted repositories, and organizations should implement automated scanning for potentially malicious configuration files in development environments.
The vulnerability highlights the importance of secure configuration management practices and proper input validation in modern development tools. It demonstrates how seemingly benign features like project-specific configuration loading can create significant security risks when not properly implemented with security controls. The issue also underscores the need for comprehensive security testing of development tools, particularly those that interact with user-provided content and execute commands based on configuration settings. Implementation of defense-in-depth strategies, including file integrity monitoring, automated configuration validation, and secure coding practices for CLI applications, would significantly reduce the risk of similar vulnerabilities in the future.