CVE-2025-59944
Published: 03 October 2025
Summary
CVE-2025-59944 is a high-severity Improper Handling of Case Sensitivity (CWE-178) vulnerability in Anysphere Cursor. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 48.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching to Cursor version 1.7 directly fixes the case-sensitive file protection checks exploited for prompt injection leading to RCE.
Validates and sanitizes prompts input to AI features, preventing injection attacks that bypass protections and modify sensitive files like mcp.json.
Performs integrity checks on sensitive files such as mcp.json to detect modifications from prompt injection and prevent execution of tampered content causing RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution via prompt injection that bypasses case-sensitive protections on sensitive files like .cursor/mcp.json when on case-insensitive filesystems, directly facilitating Exploitation for Client Execution.
NVD Description
Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the way Cursor IDE protects its sensitive files (e.g., */.cursor/mcp.json), which allows attackers to modify the content of these files through prompt…
more
injection and achieve remote code execution. A prompt injection can lead to full RCE through modifying sensitive files on case-insensitive fileystems. This issue is fixed in version 1.7.
Deeper analysisAI
CVE-2025-59944 affects Cursor, an AI-powered code editor for programming, specifically versions 1.6.23 and below. The vulnerability stems from case-sensitive checks used to protect sensitive files, such as those in the .cursor directory like mcp.json. This allows attackers to bypass protections and modify these files via prompt injection attacks, particularly on case-insensitive filesystems, ultimately enabling remote code execution.
Attackers with low privileges (PR:L) can exploit this over the network (AV:N) but require high attack complexity (AC:H), user interaction (UI:R), and a changed scope (S:C). By injecting malicious prompts into the AI features, they can alter sensitive file contents, achieving high confidentiality, integrity, and availability impacts (C:H/I:H/A:H), resulting in full remote code execution on the victim's system.
The GitHub Security Advisory at https://github.com/cursor/cursor/security/advisories/GHSA-xcwh-rrwj-gxc7 details the issue and confirms it is fixed in Cursor version 1.7, recommending users upgrade immediately to mitigate the risk.
This vulnerability highlights prompt injection risks in AI-assisted development tools, where filesystem assumptions like case sensitivity can be exploited for code execution. No real-world exploitation has been reported as of the CVE publication on 2025-10-03.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Cursor is an AI-powered code editor designed for programming with AI assistance, fitting the Enterprise AI Assistants category as it integrates AI for developer workflows.