Understanding the Security Risks in Cursor AI Editor

Understanding the Security Risks in Cursor AI Editor

Alex Cipher's Profile Pictire Alex Cipher 5 min read

The Cursor AI Editor, a tool designed to enhance coding efficiency, has recently come under scrutiny due to a critical vulnerability that allows the autorun of malicious code. This issue stems from the disabling of the Workspace Trust feature, a security measure originally present in Visual Studio Code (VS Code), which prevents automatic task execution without explicit user consent. In Cursor, this feature is disabled by default, creating a significant security risk. As reported by Oasis Security, attackers can exploit this vulnerability by inserting a .vscode/tasks.json file into a repository, leading to potential data theft or system compromise when opened by a user. Furthermore, the autorun feature can be exploited through malicious repositories, as demonstrated by a proof-of-concept that executes unauthorized code upon opening a project (Infosecurity Magazine).

Understanding the Vulnerability: Autorun of Malicious Code

Disabling of Workspace Trust

The vulnerability in the Cursor AI Editor primarily arises from the disabling of the Workspace Trust feature, a security measure originally present in Visual Studio Code (VS Code). This feature is designed to prevent the automatic execution of tasks without the developer’s explicit consent. In the case of Cursor, this feature is disabled by default, allowing tasks to execute immediately upon opening a project folder. This creates a significant security risk, as threat actors can exploit this behavior to execute malicious code without user interaction. According to researchers at Oasis Security, a malicious actor can insert a .vscode/tasks.json file into a publicly shared repository. When a user opens such a repository with Cursor, arbitrary code can be executed in their environment, potentially leading to data theft or system compromise.

Exploitation via Malicious Repositories

The vulnerability allows for the exploitation of malicious repositories, which can be crafted to execute code automatically when opened in Cursor. This is made possible by the autorun feature, which launches commands tied to workspace events, such as opening a project. Attackers can embed hidden instructions within these repositories, triggering unauthorized code execution as soon as a user opens the repository in Cursor. This flaw has been demonstrated by Oasis Security through a proof-of-concept, which included a tasks.json file executing a shell command to send the current user’s name upon opening the project folder in Cursor. The potential consequences of such exploitation include the theft of sensitive data, unauthorized access to developer environments, and the creation of vectors for broader system compromise (Infosecurity Magazine).

Model Context Protocol (MCP) Auto-Start Vulnerability

Another critical aspect of the vulnerability is the exploitation of Cursor’s Model Context Protocol (MCP) auto-start functionality. This feature automatically executes new entries added to the ~/.cursor/mcp.json configuration file, creating an attack vector where malicious prompts can trigger remote code execution without user interaction. The flaw, identified as CVE-2025-54135, allows for remote code execution by exploiting the MCP auto-start mechanism. This vulnerability, combined with Cursor’s suggested edits feature, poses a significant risk, as it enables attackers to execute arbitrary commands before users have the opportunity to review or approve the changes (Cybersecurity News).

Risks of Prompt Injection

The vulnerability also includes risks associated with prompt injection, where attackers can exploit indirect prompt injection issues to modify sensitive MCP files and execute arbitrary code. This method allows attackers to write a dotfile, such as the .cursor/mcp.json file, through an indirect prompt injection and trigger remote code execution without user approval. This flaw, tracked as CVE-2025-54135, highlights the potential for attackers to gain unauthorized access and execute code on vulnerable systems (SecurityWeek).

Response and Mitigation

In response to these vulnerabilities, Cursor issued an update (version 1.3) on July 29, 2025, addressing the autorun and MCP vulnerabilities. The update requires mandatory approval for any changes to the MCP configuration, ensuring that users must explicitly approve or reject modifications before they take effect. This measure aims to mitigate the risk of unauthorized code execution by providing users with greater control over the execution of tasks and configurations within Cursor. Despite the update, it remains crucial for users to review and update their MCP configurations regularly to ensure protection against potential exploits (Check Point Research).

In summary, the autorun of malicious code in Cursor AI Editor presents a significant security risk due to the disabling of Workspace Trust, exploitation of malicious repositories, and vulnerabilities in the MCP auto-start functionality. These issues highlight the need for developers to remain vigilant and ensure that their development environments are secure and up-to-date with the latest patches and security measures.

Final Thoughts

The vulnerabilities in the Cursor AI Editor highlight the critical importance of maintaining robust security measures in development environments. The autorun of malicious code, facilitated by the disabling of Workspace Trust and the exploitation of the Model Context Protocol (MCP) auto-start functionality, underscores the need for vigilance among developers. The recent update to Cursor, which mandates user approval for MCP configuration changes, is a step in the right direction. However, as noted by Check Point Research, continuous monitoring and updating of security protocols remain essential to protect against evolving threats. Developers must ensure their environments are secure and up-to-date with the latest patches to mitigate risks effectively.

References

Related Articles