CVE-2025-59944: Anysphere Cursor RCE Vulnerability

CVE-2025-59944 Overview

CVE-2025-59944 is a critical vulnerability in Cursor, an AI-powered code editor developed by Anysphere. The vulnerability exists in how Cursor IDE protects its sensitive configuration files, specifically using case-sensitive checks that fail on case-insensitive file systems. Attackers can exploit this flaw through prompt injection to modify protected files such as */.cursor/mcp.json, ultimately achieving remote code execution.

Critical Impact
This vulnerability allows attackers to achieve full remote code execution by bypassing file protection mechanisms through case manipulation on case-insensitive file systems (Windows, macOS). Prompt injection attacks can modify sensitive configuration files, leading to complete system compromise.

Affected Products

Anysphere Cursor versions 1.6.23 and below
Cursor IDE installations on case-insensitive file systems (Windows, macOS)
Systems utilizing Cursor's MCP (Model Context Protocol) configuration

Discovery Timeline

2025-10-03 - CVE CVE-2025-59944 published to NVD
2025-10-16 - Last updated in NVD database

Technical Details for CVE-2025-59944

Vulnerability Analysis

The vulnerability stems from a fundamental mismatch between Cursor IDE's file protection mechanism and the behavior of case-insensitive file systems. Cursor implements security controls to prevent unauthorized modification of sensitive configuration files, particularly those in the .cursor directory. However, these protective checks perform case-sensitive string comparisons to determine whether a file path should be protected.

On case-insensitive file systems—which include Windows (NTFS, FAT32) and macOS (APFS, HFS+ by default)—file paths like .CURSOR/mcp.json, .Cursor/MCP.JSON, or any other case variation resolve to the same file as .cursor/mcp.json. The case-sensitive security check fails to recognize these variant paths as protected, allowing write operations to bypass the intended protections.

This weakness can be exploited through prompt injection attacks, where malicious content injected into AI prompts causes Cursor to write to configuration files using alternate case patterns, effectively circumventing the file protection mechanism.

Root Cause

The root cause is classified as CWE-178: Improper Handling of Case Sensitivity. The security implementation assumes case sensitivity in file path comparisons without accounting for the case-insensitive nature of common operating system file systems. This creates a disconnect between the security model and the actual file system behavior, allowing attackers to reference protected files using case-varied paths that evade detection.

Attack Vector

The attack leverages prompt injection as the initial vector. An attacker crafts malicious content designed to be processed by Cursor's AI functionality. When this content is interpreted, it instructs the AI to write to configuration files using case-varied paths such as .CURSOR/mcp.json instead of .cursor/mcp.json. Because the security checks are case-sensitive, these paths bypass protection mechanisms.

Once the attacker can modify the mcp.json configuration file, they can inject malicious Model Context Protocol settings that execute arbitrary code when Cursor processes the configuration. This transforms a seemingly minor case-sensitivity oversight into a full remote code execution vulnerability.

The attack requires no authentication and can be executed remotely via network-delivered prompt injection content, making this a high-risk vulnerability for organizations using affected Cursor versions.

Detection Methods for CVE-2025-59944

Indicators of Compromise

Unexpected modifications to .cursor/mcp.json or case-variant paths like .CURSOR/mcp.json
Presence of unusual or unauthorized MCP configuration entries
Evidence of prompt injection patterns in AI interaction logs
Unexpected process execution originating from Cursor IDE

Detection Strategies

Monitor file system events for write operations to Cursor configuration directories using case-insensitive pattern matching
Implement file integrity monitoring on .cursor directory contents
Review AI prompt logs for injection patterns attempting to reference configuration files with case variations
Deploy endpoint detection rules to identify suspicious child processes spawned by Cursor

Monitoring Recommendations

Enable detailed logging of file system operations affecting Cursor configuration directories
Configure SIEM alerts for case-variant access patterns to sensitive application configuration files
Establish baseline behavior for Cursor's file access patterns to identify anomalous activity
Monitor for unexpected network connections following configuration file modifications

How to Mitigate CVE-2025-59944

Immediate Actions Required

Upgrade Cursor IDE to version 1.7 or later immediately
Review and validate the integrity of existing .cursor/mcp.json configuration files
Implement additional file system protections on Cursor configuration directories
Audit recent AI interactions for potential prompt injection attempts

Patch Information

Anysphere has addressed this vulnerability in Cursor version 1.7. The fix implements case-insensitive file path checking to properly protect sensitive files regardless of the case variant used to reference them. Organizations should upgrade to version 1.7 or later as soon as possible. Detailed information is available in the GitHub Security Advisory.

Workarounds

Restrict file system permissions on the .cursor directory to prevent unauthorized modifications
Implement application control policies to limit Cursor's ability to spawn child processes
Consider temporarily disabling MCP functionality if not required until patching is complete
Deploy file integrity monitoring to detect unauthorized configuration changes

bash

# Example: Restrict permissions on Cursor configuration directory (Linux/macOS)
chmod 700 ~/.cursor
chattr +i ~/.cursor/mcp.json  # Make configuration immutable (Linux)