CVE-2025-61593 Overview
CVE-2025-61593 is a prompt injection vulnerability affecting Cursor, an AI-powered code editor developed by Anysphere. The vulnerability exists in versions 1.7 and below due to improper protection of sensitive configuration files, specifically the */.cursor/cli.json files used by the Cursor CLI Agent. Through prompt injection techniques, attackers can manipulate the AI component to modify these sensitive files, ultimately achieving remote code execution on systems with case-insensitive filesystems.
Critical Impact
This vulnerability allows attackers to leverage prompt injection to achieve full remote code execution by modifying sensitive Cursor configuration files, potentially compromising developer workstations and source code repositories.
Affected Products
- Anysphere Cursor versions 1.7 and below
- Cursor CLI Agent component
- Systems running Cursor on case-insensitive filesystems (Windows, macOS)
Discovery Timeline
- 2025-10-03 - CVE-2025-61593 published to NVD
- 2025-10-09 - Last updated in NVD database
Technical Details for CVE-2025-61593
Vulnerability Analysis
This vulnerability falls under CWE-94 (Improper Control of Generation of Code), commonly known as Code Injection. The core issue lies in how the Cursor CLI Agent handles file path validation for its sensitive configuration files. The protection mechanism fails to account for case-insensitive filesystem behavior, creating an exploitable gap that attackers can leverage through prompt injection attacks against the AI component.
When the AI agent processes malicious prompts, it can be tricked into writing to configuration file paths using alternate casing (e.g., .Cursor/CLI.json instead of .cursor/cli.json). On case-insensitive filesystems like those used by Windows and macOS, these paths resolve to the same actual file, bypassing the intended security controls. The modified configuration can then be used to execute arbitrary code when the CLI agent processes the tampered settings.
Root Cause
The root cause is insufficient validation of file paths in case-insensitive filesystem environments combined with inadequate input sanitization in the AI prompt handling layer. The Cursor CLI Agent's file protection mechanism uses case-sensitive string comparisons to identify sensitive files, which fails to prevent access when alternate casing is used on filesystems that treat paths as case-insensitive.
Attack Vector
The attack requires user interaction, specifically that a victim must process a maliciously crafted prompt through the Cursor AI interface. The prompt injection payload is designed to manipulate the AI into generating file operations that modify the cli.json configuration file using alternate casing to bypass protections. Once the configuration is modified, the attacker-controlled code can execute in the context of the Cursor application with the privileges of the current user.
The attack chain typically involves:
- Delivering a malicious prompt to the victim (via shared code, documentation, or collaborative sessions)
- The AI processes the prompt and is manipulated into writing to configuration files
- Modified configuration enables execution of attacker-controlled code
- Full RCE is achieved on the victim's system
Detection Methods for CVE-2025-61593
Indicators of Compromise
- Unexpected modifications to files in the .cursor directory or variations like .Cursor, .CURSOR
- Changes to cli.json configuration files with suspicious content or executable paths
- AI agent activity logs showing unusual file write operations to configuration directories
- Process execution spawned from Cursor that doesn't match expected behavior
Detection Strategies
- Monitor file system events for write operations to Cursor configuration directories using alternate casing patterns
- Implement file integrity monitoring for cli.json and related configuration files
- Review AI prompt logs for patterns indicative of prompt injection attempts
- Deploy endpoint detection rules that flag unusual child processes spawned by Cursor
Monitoring Recommendations
- Enable detailed logging for Cursor CLI Agent file operations
- Configure alerts for any modifications to protected configuration paths regardless of casing
- Monitor for unusual network connections or process spawning from the Cursor application
- Implement behavioral analysis to detect deviation from normal Cursor usage patterns
How to Mitigate CVE-2025-61593
Immediate Actions Required
- Update to a Cursor version containing commit 25b418f once officially released
- Restrict access to Cursor configuration directories with appropriate filesystem permissions
- Implement case-insensitive file path comparisons for any custom security controls
- Review and audit existing .cursor/cli.json files for unexpected modifications
Patch Information
A fix has been implemented in commit 25b418f but has not yet been released in an official version as of October 3, 2025. Users should monitor the GitHub Security Advisory for release announcements and update immediately when the patched version becomes available.
Workarounds
- Set the .cursor directory and its contents to read-only permissions where feasible
- Use filesystem access controls to prevent modifications to Cursor configuration files
- Exercise caution when processing prompts from untrusted sources or shared code repositories
- Consider running Cursor in a sandboxed environment until the official patch is released
# Configuration example - Restrict permissions on Cursor config directory
# For Unix/macOS systems:
chmod 500 ~/.cursor
chmod 400 ~/.cursor/cli.json
# For Windows systems, use icacls to restrict write access:
# icacls "%USERPROFILE%\.cursor" /deny Everyone:(W)
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
