CVE-2025-64110 in Cursor
Summary
by MITRE • 11/05/2025
Cursor is a code editor built for programming with AI. In versions 1.7.23 and below, a logic bug allows a malicious agent to read sensitive files that should be protected via cursorignore. An attacker who has already achieved prompt injection, or a malicious model, could create a new cursorignore file which can invalidate the configuration of pre-existing ones. This could allow a malicious agent to read protected files. This issue is fixed in version 2.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/08/2025
The vulnerability identified as CVE-2025-64110 affects Cursor, a code editor designed for programming with AI assistance, specifically impacting versions 1.7.23 and earlier. This logic bug represents a significant security flaw that undermines the intended file access controls within the application's configuration system. The issue stems from how the editor handles cursorignore files, which are designed to protect sensitive files from unauthorized access during AI-assisted coding sessions.
The technical flaw manifests through a logic error that allows malicious agents to bypass existing cursorignore configurations. When an attacker achieves prompt injection or when a malicious AI model is involved, they can create new cursorignore files that effectively invalidate or override existing protection mechanisms. This creates a scenario where previously protected sensitive files become accessible to unauthorized parties. The vulnerability operates at the configuration management level, exploiting the application's failure to properly validate or enforce the integrity of ignore file configurations.
From an operational impact perspective, this vulnerability presents a serious risk to developers who rely on Cursor for their coding activities. The attack vector requires an initial compromise through prompt injection, which aligns with common AI security patterns documented in the ATT&CK framework under the T1584.004 technique for abuse of AI/ML models. Once the initial compromise occurs, attackers can escalate their privileges to access files that should remain protected, potentially exposing source code, configuration files, or other sensitive data that might contain credentials, API keys, or proprietary information.
The security implications extend beyond simple file access, as this vulnerability allows for configuration manipulation that could lead to broader system compromise. The issue is particularly concerning because it affects the core protection mechanisms of the application, potentially enabling attackers to bypass security controls that are fundamental to the editor's operation. Organizations using Cursor in development environments may face increased risk of data exposure, especially in scenarios where AI models are integrated into the development workflow.
The remediation for this vulnerability requires upgrading to version 2.0 or later, which addresses the logic error in cursorignore file handling. Organizations should implement immediate mitigation strategies including reviewing existing cursorignore configurations, monitoring for suspicious file creation activities, and ensuring that prompt injection vulnerabilities are addressed in AI-assisted development workflows. This vulnerability aligns with CWE-284, which covers improper access control, and demonstrates the importance of proper input validation and configuration management in AI-integrated development environments. The fix likely involves strengthening the validation mechanisms for cursorignore file modifications and ensuring that new configurations cannot override existing security policies without proper authorization.