CVE-2025-59944 Overview
CVE-2025-59944 is a critical vulnerability in Cursor, an AI-powered code editor developed by Anysphere. The vulnerability exists in how Cursor IDE protects its sensitive configuration files, specifically using case-sensitive checks that fail on case-insensitive file systems. Attackers can exploit this flaw through prompt injection to modify protected files such as */.cursor/mcp.json, ultimately achieving remote code execution.
Critical Impact
This vulnerability allows attackers to achieve full remote code execution by bypassing file protection mechanisms through case manipulation on case-insensitive file systems (Windows, macOS). Prompt injection attacks can modify sensitive configuration files, leading to complete system compromise.
Affected Products
- Anysphere Cursor versions 1.6.23 and below
- Cursor IDE installations on case-insensitive file systems (Windows, macOS)
- Systems utilizing Cursor's MCP (Model Context Protocol) configuration
Discovery Timeline
- 2025-10-03 - CVE CVE-2025-59944 published to NVD
- 2025-10-16 - Last updated in NVD database
Technical Details for CVE-2025-59944
Vulnerability Analysis
The vulnerability stems from a fundamental mismatch between Cursor IDE's file protection mechanism and the behavior of case-insensitive file systems. Cursor implements security controls to prevent unauthorized modification of sensitive configuration files, particularly those in the .cursor directory. However, these protective checks perform case-sensitive string comparisons to determine whether a file path should be protected.
On case-insensitive file systems—which include Windows (NTFS, FAT32) and macOS (APFS, HFS+ by default)—file paths like .CURSOR/mcp.json, .Cursor/MCP.JSON, or any other case variation resolve to the same file as .cursor/mcp.json. The case-sensitive security check fails to recognize these variant paths as protected, allowing write operations to bypass the intended protections.
This weakness can be exploited through prompt injection attacks, where malicious content injected into AI prompts causes Cursor to write to configuration files using alternate case patterns, effectively circumventing the file protection mechanism.
Root Cause
The root cause is classified as CWE-178: Improper Handling of Case Sensitivity. The security implementation assumes case sensitivity in file path comparisons without accounting for the case-insensitive nature of common operating system file systems. This creates a disconnect between the security model and the actual file system behavior, allowing attackers to reference protected files using case-varied paths that evade detection.
Attack Vector
The attack leverages prompt injection as the initial vector. An attacker crafts malicious content designed to be processed by Cursor's AI functionality. When this content is interpreted, it instructs the AI to write to configuration files using case-varied paths such as .CURSOR/mcp.json instead of .cursor/mcp.json. Because the security checks are case-sensitive, these paths bypass protection mechanisms.
Once the attacker can modify the mcp.json configuration file, they can inject malicious Model Context Protocol settings that execute arbitrary code when Cursor processes the configuration. This transforms a seemingly minor case-sensitivity oversight into a full remote code execution vulnerability.
The attack requires no authentication and can be executed remotely via network-delivered prompt injection content, making this a high-risk vulnerability for organizations using affected Cursor versions.
Detection Methods for CVE-2025-59944
Indicators of Compromise
- Unexpected modifications to .cursor/mcp.json or case-variant paths like .CURSOR/mcp.json
- Presence of unusual or unauthorized MCP configuration entries
- Evidence of prompt injection patterns in AI interaction logs
- Unexpected process execution originating from Cursor IDE
Detection Strategies
- Monitor file system events for write operations to Cursor configuration directories using case-insensitive pattern matching
- Implement file integrity monitoring on .cursor directory contents
- Review AI prompt logs for injection patterns attempting to reference configuration files with case variations
- Deploy endpoint detection rules to identify suspicious child processes spawned by Cursor
Monitoring Recommendations
- Enable detailed logging of file system operations affecting Cursor configuration directories
- Configure SIEM alerts for case-variant access patterns to sensitive application configuration files
- Establish baseline behavior for Cursor's file access patterns to identify anomalous activity
- Monitor for unexpected network connections following configuration file modifications
How to Mitigate CVE-2025-59944
Immediate Actions Required
- Upgrade Cursor IDE to version 1.7 or later immediately
- Review and validate the integrity of existing .cursor/mcp.json configuration files
- Implement additional file system protections on Cursor configuration directories
- Audit recent AI interactions for potential prompt injection attempts
Patch Information
Anysphere has addressed this vulnerability in Cursor version 1.7. The fix implements case-insensitive file path checking to properly protect sensitive files regardless of the case variant used to reference them. Organizations should upgrade to version 1.7 or later as soon as possible. Detailed information is available in the GitHub Security Advisory.
Workarounds
- Restrict file system permissions on the .cursor directory to prevent unauthorized modifications
- Implement application control policies to limit Cursor's ability to spawn child processes
- Consider temporarily disabling MCP functionality if not required until patching is complete
- Deploy file integrity monitoring to detect unauthorized configuration changes
# Example: Restrict permissions on Cursor configuration directory (Linux/macOS)
chmod 700 ~/.cursor
chattr +i ~/.cursor/mcp.json # Make configuration immutable (Linux)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
