CVE-2025-61593

CVE-2025-61593 affects Cursor, an AI-powered code editor, specifically in versions 1.7 and below. The vulnerability resides in the Cursor CLI Agent's protection mechanism for sensitive files, such as those located at */.cursor/cli.json. Attackers can exploit this through prompt injection to modify the content of these files, enabling remote code execution (RCE). This issue is particularly effective on case-insensitive filesystems and is associated with CWE-94 (Improper Control of Generation of Code) and CWE-178 (Improper Handling of Case Sensitivity), with a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).

Exploitation requires network access, low privileges (PR:L), user interaction (UI:R), and high attack complexity (AC:H). A malicious actor with these conditions can deliver a prompt injection payload to the Cursor CLI Agent, tricking it into altering sensitive configuration files. Successful modification grants full RCE on the affected system, compromising confidentiality, integrity, and availability with high impact.

The GitHub Security Advisory (GHSA-x2vq-h6v6-jhc6) details the fix in commit 25b418f, though it remains unreleased as of October 3, 2025. Security practitioners should monitor for an official patch release and consider workarounds such as restricting CLI Agent usage, enforcing case-sensitive filesystems where possible, or disabling AI features until mitigation is available.

Notable context includes Cursor's AI integration for programming, making this prompt injection vulnerability relevant to AI/ML-assisted development tools, with no reported real-world exploitation as of disclosure.