CVE-2025-61590 Overview
CVE-2025-61590 affects Cursor, an AI-powered code editor built on Visual Studio Code. Versions 1.6 and below allow remote code execution through Visual Studio Code Workspaces. The flaw lets attackers bypass the protections introduced for CVE-2025-54130 by abusing .code-workspace files that VS Code creates automatically as untitled.code-workspace. An attacker who hijacks the chat context, for example through a compromised Model Context Protocol (MCP) server, can use prompt injection to instruct the Cursor Agent to write malicious entries into the workspace settings section. Anysphere fixed the issue in Cursor version 1.7.
Critical Impact
Prompt injection through a compromised MCP server can trigger arbitrary code execution on the developer workstation by writing to workspace settings.
Affected Products
- Anysphere Cursor versions 1.6 and below
- Cursor installations that open or auto-create .code-workspace files
- Cursor environments connected to untrusted MCP servers or external chat contexts
Discovery Timeline
- 2025-10-03 - CVE-2025-61590 published to the National Vulnerability Database
- 2025-10-17 - Last updated in NVD database
Technical Details for CVE-2025-61590
Vulnerability Analysis
The vulnerability is a code injection flaw classified under [CWE-94]. Cursor extends Visual Studio Code and inherits its workspace model. Workspaces let users group multiple folders and persist project-specific configuration in a .code-workspace JSON file, similar to .vscode/settings.json. VS Code automatically maintains an untitled.code-workspace file that mirrors the current session's folders and settings. This means a .code-workspace file is almost always present in the user's working context, even when the user never explicitly created one.
The Cursor Agent has file-writing capability within the project. Workspace settings are interpreted by the editor and can influence task runners, debug configurations, and extension behavior. Writing attacker-controlled values into the settings section enables code execution under the developer's user account.
Root Cause
Cursor 1.6 and earlier did not enforce the protections introduced for CVE-2025-54130 against the workspace settings path. The Agent could modify .code-workspace files without prompting the user, leaving the original RCE class re-exploitable through a different file location.
Attack Vector
The attack requires hijacking the Agent's chat context. A compromised MCP server, a malicious tool response, or attacker-controlled content read into the conversation can deliver a prompt injection payload. The injected instructions direct the Agent to write into untitled.code-workspace or an existing .code-workspace file. When the workspace is reloaded or relevant settings are evaluated, the malicious configuration executes commands on the host. The vulnerability requires the victim to operate within a workspace context, but no additional user interaction beyond normal editor use is needed once the chat context is compromised.
No verified public exploit code is available. Technical details are documented in the Cursor GitHub Security Advisory GHSA-xg6w-rmh5-r77r.
Detection Methods for CVE-2025-61590
Indicators of Compromise
- Unexpected modifications to .code-workspace or untitled.code-workspace files, especially within the settings block
- New or altered entries under task, debug, or extension-related keys that reference shell commands or external binaries
- Cursor Agent file-write actions targeting workspace configuration immediately after MCP tool responses or external content ingestion
Detection Strategies
- Monitor file integrity for *.code-workspace files in developer home directories and project roots
- Inspect Cursor and MCP server logs for Agent-initiated edits to workspace settings that were not requested by the user
- Correlate child process creation from the Cursor process with recent workspace settings changes to surface execution chains
Monitoring Recommendations
- Inventory active MCP servers and flag connections to untrusted or third-party endpoints in developer environments
- Alert on Cursor or VS Code spawning shells, package managers, or scripting interpreters shortly after a workspace reload
- Track outbound network connections from developer workstations following workspace file modifications
How to Mitigate CVE-2025-61590
Immediate Actions Required
- Upgrade Cursor to version 1.7 or later on all developer workstations
- Audit and remove untrusted MCP server configurations from Cursor settings
- Review existing .code-workspace files for unexpected entries in the settings, tasks, or launch sections
Patch Information
Anysphere fixed the issue in Cursor 1.7. The fix extends the protections originally added for CVE-2025-54130 to cover workspace settings paths, preventing the Agent from silently writing executable configuration into .code-workspace files. Refer to the Cursor GitHub Security Advisory for vendor guidance.
Workarounds
- Restrict the Cursor Agent's automatic file-write permissions and require explicit approval for edits to .code-workspace files
- Connect only to MCP servers that are internally operated or cryptographically verified
- Avoid pasting untrusted content, issue links, or third-party documentation into the Cursor chat while a workspace is open
- Run Cursor inside a sandboxed development environment or container with limited host access
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
