CVE-2025-64107 Overview
CVE-2025-64107 is a path traversal vulnerability in Cursor, an AI-powered code editor developed by Anysphere. The vulnerability affects versions 1.7.52 and below, where improper validation of backslash characters in file paths allows attackers to bypass security controls and overwrite sensitive editor configuration files without user approval on Windows systems. When combined with prompt injection or other attack vectors, this flaw can lead to remote code execution (RCE).
Critical Impact
Attackers who achieve prompt injection or similar control over the editor can exploit this path traversal vulnerability to overwrite sensitive configuration files (such as mcp.json), potentially leading to arbitrary code execution on Windows machines without user approval.
Affected Products
- Anysphere Cursor versions 1.7.52 and below on Windows
- Cursor AI Code Editor for Windows platforms
- Any deployment using vulnerable Cursor versions with MCP configuration files
Discovery Timeline
- 2025-11-04 - CVE CVE-2025-64107 published to NVD
- 2025-11-10 - Last updated in NVD database
Technical Details for CVE-2025-64107
Vulnerability Analysis
This vulnerability stems from inconsistent path validation within Cursor's internal file handling mechanisms. The editor implements security controls that detect path manipulation attempts using forward slashes (e.g., ./.cursor/./././././mcp.json), requiring human approval before allowing such operations to proceed. However, the same validation logic fails to account for Windows-style backslash path separators.
On Windows systems, both forward slashes and backslashes are valid path separators. By using backslash characters instead of forward slashes, an attacker can craft malicious paths that bypass the path manipulation detection entirely. This allows unauthorized modification of sensitive editor configuration files, including the mcp.json file that controls Model Context Protocol settings.
The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as Path Traversal. The attack requires user interaction (such as opening a malicious project or accepting a prompt injection payload), but once this prerequisite is met, the file overwrite occurs without additional approval dialogs.
Root Cause
The root cause is incomplete input validation in the path sanitization routine. While the developers correctly identified that forward slash-based path manipulation patterns (like ./) posed a security risk, they failed to apply the same defensive measures to backslash equivalents (.\). This is a common oversight in cross-platform applications where path handling differs between Unix-like systems and Windows.
The validation logic appears to use pattern matching or string inspection that specifically looks for forward slash sequences, leaving the backslash variant as an unguarded attack surface on Windows deployments.
Attack Vector
The attack requires an initial foothold, typically achieved through prompt injection against the AI assistant integrated into Cursor. Once an attacker can influence the editor's behavior through prompt injection or similar techniques, they can construct file operation requests using backslash-based path traversal sequences.
The attack path proceeds as follows:
- Attacker achieves prompt injection or gains some level of control over Cursor's AI-assisted operations
- Attacker crafts a malicious file path using backslash separators (e.g., .\.cursor\.\.\.\.\.\mcp.json)
- The path manipulation bypasses Cursor's forward-slash detection mechanism
- Sensitive configuration files are overwritten without triggering the human approval prompt
- Modified configuration enables code execution on subsequent editor operations
The vulnerability specifically targets the MCP (Model Context Protocol) configuration system, which governs how Cursor interacts with AI services and can be leveraged to execute arbitrary commands.
Detection Methods for CVE-2025-64107
Indicators of Compromise
- Unexpected modifications to .cursor/mcp.json or other editor configuration files
- File system audit logs showing backslash-based path traversal patterns in Cursor-related operations
- Unusual AI-generated file operations targeting editor configuration directories
- Modified MCP configurations containing unexpected tool definitions or command executions
Detection Strategies
- Monitor file integrity of Cursor configuration directories, particularly mcp.json files
- Implement endpoint detection rules that flag backslash-based path traversal patterns in application file operations
- Review Cursor's internal logs for file operations that bypass the standard approval workflow
- Deploy behavioral analysis to detect prompt injection attempts in AI-assisted coding sessions
Monitoring Recommendations
- Enable file system auditing on Windows systems for the Cursor configuration directory (%APPDATA%\Cursor or similar paths)
- Configure EDR solutions to alert on path traversal patterns containing sequences like .\..\ in file write operations
- Implement application whitelisting for files that Cursor is permitted to modify without user approval
- Establish baseline configurations for MCP settings and alert on deviations
How to Mitigate CVE-2025-64107
Immediate Actions Required
- Upgrade Cursor to version 2.0 or later immediately on all Windows systems
- Audit existing mcp.json and other configuration files for unauthorized modifications
- Review recent AI-assisted file operations for signs of prompt injection exploitation
- Consider temporarily disabling automated file operations until the upgrade is complete
Patch Information
Anysphere has addressed this vulnerability in Cursor version 2.0. The fix implements consistent path validation that properly handles both forward slash and backslash path separators on Windows systems. Users should upgrade immediately through Cursor's built-in update mechanism or by downloading the latest version from the official website.
For detailed information about the security fix, refer to the GitHub Security Advisory GHSA-2jr2-8wf5-v6pf.
Workarounds
- If immediate upgrade is not possible, disable AI-assisted file operations temporarily
- Implement strict file system permissions on Cursor configuration directories to prevent unauthorized modifications
- Use application control policies to restrict which files Cursor can modify
- Deploy network segmentation to limit exposure of vulnerable Cursor installations
- Consider using Cursor on non-Windows platforms where backslash path traversal is not applicable
# Configuration example - Restrict write access to Cursor configuration directory
# Run in PowerShell as Administrator on Windows systems
icacls "%APPDATA%\Cursor" /deny "Users:(OI)(CI)(W)" /T
# Note: This may break normal Cursor functionality - use only as temporary mitigation
# Restore with: icacls "%APPDATA%\Cursor" /remove:d "Users" /T
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
