Cursor Code Editor Arbitrary Code Execution Vulnerability via Indirect Prompt Injection

A vulnerability in Cursor, a code editor designed for programming with AI, allows for arbitrary code execution. In versions prior to 1.3.9, Cursor permits writing to in-workspace files without user approval. While editing dotfiles requires consent, creating new dotfiles does not. This creates an opportunity for an attacker to exploit sensitive editor files, such as .vscode/settings.json. If the settings file does not already exist in the workspace, an attacker can leverage an indirect prompt injection vulnerability to manipulate the context, write to the settings file, and execute code on the victim's machine without approval.

Impact

Exploitation of this vulnerability, when combined with a separate prompt injection issue, could lead to unauthorized writing of sensitive editor files on the host. This could be used to indirectly execute code, such as by altering the user's default shell.

Remediation

The vulnerability has been addressed in Cursor version 1.3.9, where the agent's ability to write to several editor-sensitive files without approval has been restricted.