CVE-2025-64108
Published: 04 November 2025
Summary
CVE-2025-64108 is a high-severity Path Traversal (CWE-22) vulnerability in Anysphere Cursor. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Stealth (T1211); ranked at the 25.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Validates AI prompts and file paths to block path traversal and code injection attacks exploiting NTFS quirks.
Enforces logical access controls to prevent unauthorized overwrites of protected files requiring human approval.
Verifies integrity of critical software files to detect unauthorized modifications that could enable RCE.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability uses NTFS path quirks to bypass application protections requiring human approval for overwriting sensitive files, enabling exploitation for defense evasion (T1211). Overwriting protected files facilitates compromising host software binaries to achieve RCE (T1554).
NVD Description
Cursor is a code editor built for programming with AI. In versions 1.7.44 and below, various NTFS path quirks allow a prompt injection attacker to circumvent sensitive file protections and overwrite files which Cursor requires human approval to overwrite. Modification…
more
of some of the protected files can lead to RCE. Must be chained with a prompt injection or malicious model attach. Only affects systems supporting NTFS. This issue is fixed in version 2.0.
Deeper analysisAI
CVE-2025-64108 is a high-severity vulnerability (CVSS v3.1 score of 8.8) in Cursor, an AI-powered code editor for programming, affecting versions 1.7.44 and below. It arises from various NTFS path quirks (mapped to CWE-22: Path Traversal and CWE-94: Code Injection) that allow a prompt injection attacker to circumvent protections on sensitive files, enabling overwrites of files that normally require human approval. Modifying certain protected files can lead to remote code execution (RCE). The flaw is limited to systems supporting NTFS.
Exploitation requires chaining with a prompt injection or malicious model attachment. An attacker with low privileges (PR:L) can trigger it over the network (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N), potentially achieving high impacts on confidentiality, integrity, and availability (C:H/I:H/A:H) through RCE.
Cursor has addressed the issue in version 2.0. Additional details are available in the GitHub security advisory at https://github.com/cursor/cursor/security/advisories/GHSA-6r98-6qcw-rxrw.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Cursor is an AI-powered code editor for programming, fitting the Enterprise AI Assistants category as it integrates AI (likely LLMs) for code assistance, and the vulnerability involves AI-specific prompt injection.