Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64108

CVE-2025-64108: Anysphere Cursor Path Traversal Flaw

CVE-2025-64108 is a path traversal vulnerability in Anysphere Cursor that exploits NTFS quirks to bypass file protections, potentially leading to RCE. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2025-64108 Overview

CVE-2025-64108 affects Cursor, an AI-powered code editor developed by Anysphere. Versions 1.7.44 and below contain a path traversal vulnerability [CWE-22] tied to NTFS path quirks on Windows systems. Attackers can bypass Cursor's sensitive file protections and overwrite files that normally require explicit human approval. Modifying certain protected files leads to remote code execution. Exploitation requires chaining the flaw with a prompt injection or a malicious model attachment. The issue is fixed in version 2.0.

Critical Impact

Successful exploitation allows attackers to overwrite protected files on NTFS systems, leading to remote code execution through prompt injection chains.

Affected Products

  • Anysphere Cursor versions 1.7.44 and below
  • Cursor installations on Windows systems supporting NTFS
  • Cursor deployments processing untrusted prompts or model attachments

Discovery Timeline

  • 2025-11-04 - CVE-2025-64108 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-64108

Vulnerability Analysis

The vulnerability resides in Cursor's file protection layer, which enforces explicit user approval before writing to sensitive files. The protection checks compare file paths against a sensitive-file list. NTFS supports several path representations for the same underlying file, including short (8.3) names, alternate data streams, trailing dots, trailing spaces, and case variations. Cursor's path normalization fails to canonicalize these representations before applying the protection check. An attacker who controls input to the agent can reference a protected file through an alternate NTFS path syntax. The check returns no match, and Cursor writes the file without prompting the user.

Root Cause

The root cause is incomplete path canonicalization on NTFS volumes, classified as Improper Limitation of a Pathname to a Restricted Directory [CWE-22]. Cursor's allowlist comparison operates on string-level paths rather than resolved file identifiers. NTFS path quirks produce multiple valid strings that resolve to the same file, defeating the string-based filter.

Attack Vector

The attacker must first establish prompt injection by supplying malicious instructions through a document, web page, repository file, or a malicious model attachment processed by Cursor. The injected instructions direct the agent to write to a sensitive file using an alternate NTFS path form. Cursor's approval gate is skipped, and the file is overwritten. Where the targeted file is executed by the user's shell, IDE startup, or build tooling, the overwrite results in code execution under the user's account.

No verified public proof-of-concept code is available. Technical specifics are documented in the Cursor GitHub Security Advisory.

Detection Methods for CVE-2025-64108

Indicators of Compromise

  • Unexpected modifications to Cursor configuration files, startup scripts, or shell profiles on developer workstations
  • File writes referencing NTFS short names (8.3 format), trailing dots, or trailing whitespace in path strings
  • Cursor agent activity that writes to sensitive paths without a corresponding user approval event in application logs

Detection Strategies

  • Monitor process creation events where Cursor.exe or its child processes write to user profile startup locations, IDE configuration directories, or system-wide executables
  • Alert on file modification events whose paths contain NTFS quirks such as ~1 short names, alternate data stream syntax (:), or anomalous trailing characters
  • Correlate Cursor file-write telemetry with prompt sources to identify writes triggered by externally supplied content

Monitoring Recommendations

  • Enable file integrity monitoring on Cursor configuration directories and developer shell profiles
  • Capture Cursor application logs alongside endpoint telemetry to validate that protected-file writes match approved user prompts
  • Review newly created scheduled tasks, autorun entries, and modified binaries on hosts running vulnerable Cursor versions

How to Mitigate CVE-2025-64108

Immediate Actions Required

  • Upgrade Cursor to version 2.0 or later on all Windows endpoints
  • Inventory developer workstations to identify installations of Cursor 1.7.44 and below
  • Restrict Cursor's ability to process untrusted external content, repositories, and third-party model attachments until patched

Patch Information

Anysphere has resolved the vulnerability in Cursor version 2.0. The fix addresses NTFS path canonicalization within the sensitive-file protection check. Refer to the Cursor GitHub Security Advisory GHSA-6r98-6qcw-rxrw for upgrade guidance and version details.

Workarounds

  • Limit Cursor agent use to trusted prompts, repositories, and model providers until the upgrade is deployed
  • Run Cursor under a least-privilege user account that cannot modify system-wide executables or shared developer tooling
  • Apply NTFS access control lists to harden write permissions on critical configuration files and startup locations referenced by IDE workflows

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.