CVE-2025-54130: Anysphere Cursor RCE Vulnerability

CVE-2025-54130 Overview

CVE-2025-54130 is a critical vulnerability in Cursor, an AI-powered code editor developed by Anysphere. The vulnerability allows attackers to write arbitrary files within a workspace without requiring user approval in versions prior to 1.3.9. While editing existing dotfiles requires user approval, creating new dotfiles does not enforce this security constraint. This authorization bypass can be chained with an indirect prompt injection vulnerability to achieve Remote Code Execution (RCE) on victim machines without any user interaction or approval.

Critical Impact
Attackers can exploit this vulnerability to write malicious configurations to sensitive editor files such as .vscode/settings.json, enabling full remote code execution on target systems without user consent.

Affected Products

Anysphere Cursor versions prior to 1.3.9
Cursor AI code editor with default workspace settings
Environments where .vscode/settings.json does not exist in the workspace

Discovery Timeline

2025-08-05 - CVE-2025-54130 published to NVD
2025-08-25 - Last updated in NVD database

Technical Details for CVE-2025-54130

Vulnerability Analysis

This vulnerability represents a broken access control flaw (CWE-285) in Cursor's file handling mechanism. The core issue lies in an inconsistent authorization model where the application enforces approval requirements for modifying existing dotfiles but fails to apply the same restrictions when creating new dotfiles. This design oversight creates a significant security gap that can be exploited through indirect prompt injection attacks.

When an attacker successfully injects malicious prompts into the AI context, they can instruct Cursor to create new sensitive configuration files within the workspace. The .vscode/settings.json file is a particularly attractive target because it can contain executable configurations that run automatically when the editor loads the workspace.

Root Cause

The root cause of this vulnerability is an improper implementation of the authorization check for file operations. The application correctly validates user approval when editing pre-existing dotfiles but fails to perform the same validation when creating new dotfiles from scratch. This inconsistency in the security boundary allows attackers to bypass the intended approval workflow entirely by targeting workspaces where sensitive configuration files do not yet exist.

Attack Vector

The attack leverages the network-accessible nature of AI-powered code editors that process external content. An attacker can craft malicious content containing indirect prompt injection payloads that, when processed by Cursor's AI features, hijack the context and instruct the editor to create malicious configuration files.

The attack chain works as follows:

The attacker crafts content containing hidden prompt injection instructions
The victim opens or processes this content in Cursor
The AI interprets the injected prompts and attempts to create new workspace files
Due to the missing authorization check, Cursor creates a new .vscode/settings.json file without user approval
The malicious settings file contains configurations that trigger code execution
Upon workspace reload or editor restart, the malicious code executes with the victim's privileges

Technical details regarding exploitation can be found in the GitHub Security Advisory.

Detection Methods for CVE-2025-54130

Indicators of Compromise

Unexpected creation of .vscode/settings.json or other dotfiles in project workspaces
Presence of unfamiliar or suspicious configurations in VS Code settings files
Unusual task definitions or terminal commands in workspace configuration files
Evidence of prompt injection patterns in recently accessed files or AI chat history

Detection Strategies

Monitor file system events for creation of new dotfiles in workspace directories
Implement file integrity monitoring for sensitive configuration paths including .vscode/ directories
Review AI interaction logs for suspicious prompt patterns indicative of injection attempts
Compare workspace configurations against known-good baselines to detect unauthorized modifications

Monitoring Recommendations

Enable audit logging for all file creation events within development workspaces
Configure endpoint detection to alert on suspicious VS Code settings modifications
Implement behavioral analysis to detect unusual AI-driven file operations
Deploy SentinelOne Singularity to monitor for indicators of prompt injection and subsequent malicious file creation

How to Mitigate CVE-2025-54130

Immediate Actions Required

Upgrade Cursor to version 1.3.9 or later immediately
Review existing workspaces for unexpected or suspicious dotfiles
Audit .vscode/settings.json files for malicious configurations or task definitions
Enable additional approval requirements for AI-driven file operations where available

Patch Information

Anysphere has released version 1.3.9 of Cursor which addresses this vulnerability by enforcing proper authorization checks for all dotfile operations, including creation of new files. Users should update to this version or later through the standard update mechanism. For additional details, refer to the GitHub Security Advisory for GHSA-vqv7-vq92-x87f.

Workarounds

Pre-create empty .vscode/settings.json files in all workspaces to trigger the existing edit approval mechanism
Restrict AI features from accessing or modifying workspace configuration directories
Implement file system permissions to prevent automated creation of dotfiles
Use read-only workspace configurations where development requirements permit

bash

# Create protective .vscode/settings.json in existing workspaces
# This ensures the edit-approval mechanism is triggered for any modifications
find /path/to/workspaces -type d -name ".vscode" -prune -o -type d -maxdepth 2 -exec sh -c '
  mkdir -p "$1/.vscode" && touch "$1/.vscode/settings.json"
' _ {} \;

# Set restrictive permissions on existing VS Code settings
chmod 644 /path/to/workspace/.vscode/settings.json