CVE-2025-64108 Overview
CVE-2025-64108 affects Cursor, an AI-powered code editor developed by Anysphere. Versions 1.7.44 and below contain a path traversal vulnerability [CWE-22] tied to NTFS path quirks on Windows systems. Attackers can bypass Cursor's sensitive file protections and overwrite files that normally require explicit human approval. Modifying certain protected files leads to remote code execution. Exploitation requires chaining the flaw with a prompt injection or a malicious model attachment. The issue is fixed in version 2.0.
Critical Impact
Successful exploitation allows attackers to overwrite protected files on NTFS systems, leading to remote code execution through prompt injection chains.
Affected Products
- Anysphere Cursor versions 1.7.44 and below
- Cursor installations on Windows systems supporting NTFS
- Cursor deployments processing untrusted prompts or model attachments
Discovery Timeline
- 2025-11-04 - CVE-2025-64108 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-64108
Vulnerability Analysis
The vulnerability resides in Cursor's file protection layer, which enforces explicit user approval before writing to sensitive files. The protection checks compare file paths against a sensitive-file list. NTFS supports several path representations for the same underlying file, including short (8.3) names, alternate data streams, trailing dots, trailing spaces, and case variations. Cursor's path normalization fails to canonicalize these representations before applying the protection check. An attacker who controls input to the agent can reference a protected file through an alternate NTFS path syntax. The check returns no match, and Cursor writes the file without prompting the user.
Root Cause
The root cause is incomplete path canonicalization on NTFS volumes, classified as Improper Limitation of a Pathname to a Restricted Directory [CWE-22]. Cursor's allowlist comparison operates on string-level paths rather than resolved file identifiers. NTFS path quirks produce multiple valid strings that resolve to the same file, defeating the string-based filter.
Attack Vector
The attacker must first establish prompt injection by supplying malicious instructions through a document, web page, repository file, or a malicious model attachment processed by Cursor. The injected instructions direct the agent to write to a sensitive file using an alternate NTFS path form. Cursor's approval gate is skipped, and the file is overwritten. Where the targeted file is executed by the user's shell, IDE startup, or build tooling, the overwrite results in code execution under the user's account.
No verified public proof-of-concept code is available. Technical specifics are documented in the Cursor GitHub Security Advisory.
Detection Methods for CVE-2025-64108
Indicators of Compromise
- Unexpected modifications to Cursor configuration files, startup scripts, or shell profiles on developer workstations
- File writes referencing NTFS short names (8.3 format), trailing dots, or trailing whitespace in path strings
- Cursor agent activity that writes to sensitive paths without a corresponding user approval event in application logs
Detection Strategies
- Monitor process creation events where Cursor.exe or its child processes write to user profile startup locations, IDE configuration directories, or system-wide executables
- Alert on file modification events whose paths contain NTFS quirks such as ~1 short names, alternate data stream syntax (:), or anomalous trailing characters
- Correlate Cursor file-write telemetry with prompt sources to identify writes triggered by externally supplied content
Monitoring Recommendations
- Enable file integrity monitoring on Cursor configuration directories and developer shell profiles
- Capture Cursor application logs alongside endpoint telemetry to validate that protected-file writes match approved user prompts
- Review newly created scheduled tasks, autorun entries, and modified binaries on hosts running vulnerable Cursor versions
How to Mitigate CVE-2025-64108
Immediate Actions Required
- Upgrade Cursor to version 2.0 or later on all Windows endpoints
- Inventory developer workstations to identify installations of Cursor 1.7.44 and below
- Restrict Cursor's ability to process untrusted external content, repositories, and third-party model attachments until patched
Patch Information
Anysphere has resolved the vulnerability in Cursor version 2.0. The fix addresses NTFS path canonicalization within the sensitive-file protection check. Refer to the Cursor GitHub Security Advisory GHSA-6r98-6qcw-rxrw for upgrade guidance and version details.
Workarounds
- Limit Cursor agent use to trusted prompts, repositories, and model providers until the upgrade is deployed
- Run Cursor under a least-privilege user account that cannot modify system-wide executables or shared developer tooling
- Apply NTFS access control lists to harden write permissions on critical configuration files and startup locations referenced by IDE workflows
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

