CVE-2025-61593
Published: 03 October 2025
Summary
CVE-2025-61593 is a high-severity Code Injection (CWE-94) vulnerability in Anysphere Cursor. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 40.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Prevents prompt injection exploitation by validating and sanitizing inputs to the Cursor CLI Agent, blocking malicious payloads that modify sensitive files.
Ensures timely patching of the vulnerability as fixed in commit 25b418f to eliminate the improper file protection mechanism.
Detects unauthorized modifications to sensitive files like /.cursor/cli.json through integrity checks on software and configuration data.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code execution via prompt injection in the Cursor CLI Agent, allowing modification of sensitive files to execute arbitrary code, mapping to exploitation of a client application.
NVD Description
Cursor is a code editor built for programming with AI. In versions 1.7 and below, a vulnerability in the way Cursor CLI Agent protects its sensitive files (i.e. */.cursor/cli.json) allows attackers to modify the content of the files through prompt…
more
injection, thus achieving remote code execution. A prompt injection can lead to full RCE through modifying sensitive files on case-insensitive filesystems. This issue is fixed in a commit, 25b418f, but has yet to be released as of October 3, 2025.
Deeper analysisAI
CVE-2025-61593 affects Cursor, an AI-powered code editor, specifically in versions 1.7 and below. The vulnerability resides in the Cursor CLI Agent's protection mechanism for sensitive files, such as those located at */.cursor/cli.json. Attackers can exploit this through prompt injection to modify the content of these files, enabling remote code execution (RCE). This issue is particularly effective on case-insensitive filesystems and is associated with CWE-94 (Improper Control of Generation of Code) and CWE-178 (Improper Handling of Case Sensitivity), with a CVSS v3.1 base score of 7.1 (AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H).
Exploitation requires network access, low privileges (PR:L), user interaction (UI:R), and high attack complexity (AC:H). A malicious actor with these conditions can deliver a prompt injection payload to the Cursor CLI Agent, tricking it into altering sensitive configuration files. Successful modification grants full RCE on the affected system, compromising confidentiality, integrity, and availability with high impact.
The GitHub Security Advisory (GHSA-x2vq-h6v6-jhc6) details the fix in commit 25b418f, though it remains unreleased as of October 3, 2025. Security practitioners should monitor for an official patch release and consider workarounds such as restricting CLI Agent usage, enforcing case-sensitive filesystems where possible, or disabling AI features until mitigation is available.
Notable context includes Cursor's AI integration for programming, making this prompt injection vulnerability relevant to AI/ML-assisted development tools, with no reported real-world exploitation as of disclosure.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Cursor is an AI-powered code editor with a CLI Agent designed for programming assistance, fitting the Enterprise AI Assistants category as it provides AI-driven coding support in a professional development environment.