Cursor Code Editor Arbitrary Code Execution Vulnerability via Indirect Prompt Injection
Vulnerability
A vulnerability in the Cursor code editor, versions through 1.2.1, allows for arbitrary code execution. The issue arises from the application's handling of in-workspace files. While dotfiles require user approval for editing, new dotfiles can be created without consent. This creates an opportunity for an attacker to exploit sensitive MCP files, such as .cursor/mcp.json. If these files are not already present in the workspace, an attacker can leverage an indirect prompt injection vulnerability to manipulate the context, write to the settings file, and execute code on the victim's machine without approval.
Impact
Exploitation of this vulnerability, especially when combined with a separate prompt injection issue, could lead to unauthorized writing of sensitive MCP files on the host. This could allow execution of arbitrary code by adding the injected code as a new MCP server.
Remediation
The application has been updated in version 1.3.9 to require approval before the agent can write sensitive MCP files.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.