CVE-2025-32018 Overview
Cursor, an AI-powered code editor, contains a path traversal vulnerability [CWE-22] in its Agent file-write logic. Versions 0.45.0 through 0.48.6 introduced a regression that broadened the set of file paths the Cursor Agent could modify automatically. Under specific conditions, the Agent could be steered, either by the user or through maliciously crafted context, to write to files outside the opened workspace. The vendor notes the Agent still displayed modified files in the UI for user review, reducing the chance an edit goes unnoticed. The issue is fixed in version 0.48.7.
Critical Impact
A malicious prompt or poisoned context can cause the Cursor Agent to write to files outside the active workspace, enabling tampering with sensitive files on the host.
Affected Products
- Cursor 0.45.0 through 0.48.6
- Cursor Agent automatic file-write feature
- Fixed in Cursor 0.48.7
Discovery Timeline
- 2025-04-08 - CVE-2025-32018 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-32018
Vulnerability Analysis
The vulnerability stems from a regression in the Cursor Agent's workspace boundary enforcement. The Agent feature autonomously edits files based on natural language instructions and contextual content supplied to the model. In affected versions, the path validation that restricts edits to the open workspace was weakened, allowing the Agent to resolve and write to paths outside that boundary.
Exploitation requires deliberate prompting. Either the user must instruct the Agent to act on an out-of-workspace path, or a third-party context source, such as a referenced file, repository content, or web data, must inject instructions that the Agent follows. This pattern aligns with prompt injection attacks against agentic AI tools, where untrusted content is treated as authoritative instruction.
The edited file remains visible in Cursor's diff and review UI. A user reviewing changes can spot unexpected modifications before accepting them, which materially reduces real-world impact.
Root Cause
The root cause is improper limitation of a pathname to a restricted directory [CWE-22]. The Agent's file-write authorization logic regressed between 0.45.0 and 0.48.6, no longer reliably constraining target paths to the active workspace root.
Attack Vector
The attack vector is network-adjacent through model context. An attacker plants instructions in content the Agent ingests, such as a README, source comment, issue body, or referenced web page. When the user invokes the Agent with that context loaded, the model follows the embedded instructions and writes to attacker-chosen paths outside the workspace, subject to the editor process's file system permissions.
The vulnerability is described in prose; refer to the GitHub Security Advisory for the vendor's technical description.
Detection Methods for CVE-2025-32018
Indicators of Compromise
- Unexpected file modifications outside the active Cursor workspace directory, particularly to user configuration files, shell profiles (.bashrc, .zshrc), or SSH configuration.
- Cursor Agent diff entries referencing absolute paths that fall outside the opened project root.
- New or modified files in user home directories with timestamps that correlate to Cursor Agent sessions.
Detection Strategies
- Inventory installed Cursor versions across developer endpoints and flag any instance in the 0.45.0 through 0.48.6 range.
- Monitor file integrity on sensitive paths outside typical project directories on workstations where Cursor is installed.
- Review Cursor Agent change history and require explicit user acceptance for any diff that targets paths outside the workspace root.
Monitoring Recommendations
- Forward endpoint file modification telemetry from developer workstations into a SIEM and alert on writes by the Cursor process to paths outside known project roots.
- Track Cursor auto-update status to confirm endpoints reach version 0.48.7 or later.
- Audit prompt and context sources the Agent ingests, especially content pulled from untrusted repositories or external URLs.
How to Mitigate CVE-2025-32018
Immediate Actions Required
- Upgrade Cursor to version 0.48.7 or later on all developer endpoints.
- Restart Cursor after upgrade and verify the installed version through the application's About dialog.
- Review recent Agent-driven changes for unexpected edits to files outside project workspaces.
Patch Information
The vendor fixed the regression in Cursor 0.48.7. Details are available in the GitHub Security Advisory GHSA-qjh8-mh96-fc86.
Workarounds
- Until upgraded, disable or avoid the Cursor Agent's automatic file-write capability and require manual application of suggested edits.
- Review every Agent diff in the UI before accepting changes, paying attention to absolute paths and files outside the workspace.
- Avoid loading untrusted repositories, documents, or web content into the Agent's context window on vulnerable versions.
# Verify the installed Cursor version on macOS or Linux
cursor --version
# Expected output for the patched release
# 0.48.7
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
