Cyber Resilience

CVE-2025-59944

High

Published: 03 October 2025

Published
03 October 2025
Modified
16 October 2025
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0027 51.2th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59944 is a high-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Anysphere Cursor. Its CVSS base score is 8.0 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked in the top 48.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-59944 affects Cursor, an AI-powered code editor for programming, specifically versions 1.6.23 and below. The vulnerability stems from case-sensitive checks used to protect sensitive files, such as those in the .cursor directory like mcp.json. This allows attackers to bypass protections and modify these files via prompt injection attacks, particularly on case-insensitive filesystems, ultimately enabling remote code execution.

Attackers with low privileges (PR:L) can exploit this over the network (AV:N) but require high attack complexity (AC:H), user interaction (UI:R), and a changed scope (S:C). By injecting malicious prompts into the AI features, they can alter sensitive file contents, achieving high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), resulting in full remote code execution on the victim's system.

The GitHub Security Advisory at https://github.com/cursor/cursor/security/advisories/GHSA-xcwh-rrwj-gxc7 details the issue and confirms it is fixed in Cursor version 1.7, recommending users upgrade immediately to mitigate the risk.

This vulnerability highlights prompt injection risks in AI-assisted development tools, where filesystem assumptions like case sensitivity can be exploited for code execution. No real-world exploitation has been reported as of the CVE publication on 2025-10-03.

EU & UK References

Vulnerability details

Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the way Cursor IDE protects its sensitive files (e.g., */.cursor/mcp.json), which allows attackers to modify the content of these files through prompt…

more

injection and achieve remote code execution. A prompt injection can lead to full RCE through modifying sensitive files on case-insensitive fileystems. This issue is fixed in version 1.7.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
LLM/Generative AI Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, mcp, prompt injection

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

The vulnerability enables remote code execution via prompt injection that bypasses case-sensitive protections on sensitive files like .cursor/mcp.json when on case-insensitive filesystems, directly facilitating Exploitation for Client Execution.

CVEs Like This One

CVE-2025-54135Same product: Anysphere Cursor
CVE-2025-61593Same product: Anysphere Cursor
CVE-2025-54136Same product: Anysphere Cursor
CVE-2025-61591Same product: Anysphere Cursor
CVE-2025-64106Same product: Anysphere Cursor
CVE-2025-61592Same product: Anysphere Cursor
CVE-2026-26268Same product: Anysphere Cursor
CVE-2026-31854Same product: Anysphere Cursor
CVE-2026-22708Same product: Anysphere Cursor
CVE-2025-64108Same product: Anysphere Cursor

Affected Assets

anysphere
cursor
≤ 1.6.23

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation through patching to Cursor version 1.7 directly fixes the case-sensitive file protection checks exploited for prompt injection leading to RCE.

prevent

Validates and sanitizes prompts input to AI features, preventing injection attacks that bypass protections and modify sensitive files like mcp.json.

preventdetect

Performs integrity checks on sensitive files such as mcp.json to detect modifications from prompt injection and prevent execution of tampered content causing RCE.

References