Maccarita

**Name of the Vulnerable Software and Affected Versions** Cursor versions 1.6 and below **Description** Cursor, a code editor built for programming with AI, is susceptible to Remote Code Execution (RCE) attacks through Visual Studio Code Workspaces. Workspaces allow users to open multiple folders and save specific settings. An attacker who can hijack the chat context of a victim can use prompt injection to modify workspace files, bypassing a previous security measure and leading to RCE by writing to the settings section. **Recommendations** Update to version 1.7 or later.

**Name of the Vulnerable Software and Affected Versions** Cursor versions 1.6 and below **Description** Cursor, a code editor for programming with AI, has an issue where Mermaid, used for rendering diagrams, allows embedding images. This can be exploited to exfiltrate sensitive information to a third-party attacker-controlled server through an image fetch, following a successful prompt injection. A malicious model or backdoor could also trigger this exploit. The issue requires prompt injection from malicious data such as web content, image uploads, or source code to be successfully exploited. The `image fetch` mechanism is used to transmit data to an external server controlled by the attacker. **Recommendations** Update to version 1.7 or later.

Name of the Vulnerable Software and Affected Versions: Roo Code versions prior to 3.25.5 Description: Roo Code, an AI-powered autonomous coding agent, does not correctly process process substitution and single ampersand characters within its command parsing logic for auto-execute commands. If a user has enabled auto-approved execution for a command, an attacker who can submit crafted prompts to the agent may inject arbitrary commands to be executed alongside the intended command. Exploitation requires the attacker to have access to submit prompts and for the user to have enabled auto-approved command execution, which is disabled by default. This could allow an attacker to execute arbitrary code. Recommendations: Update to version 3.25.5 or later.

**Name of the Vulnerable Software and Affected Versions** Zed versions prior to 0.197.3 **Description** Zed is a multiplayer code editor. In versions prior to 0.197.3, the Zed Agent Panel allowed an AI agent to achieve Remote Code Execution (RCE) by bypassing user permission checks. An AI Agent could exploit a permissions bypass to create or modify a project-specific configuration file, leading to the execution of arbitrary commands on a victim's machine without required approval. The vulnerability exists within the Zed Agent Panel and involves bypassing user permission checks. The vulnerable component allows an AI agent to create or modify project-specific configuration files. This can lead to the execution of arbitrary commands on a victim’s machine. The `Zed Agent Panel` is the affected API endpoint. **Recommendations** Versions prior to 0.197.3 should be updated to version 0.197.3 or later. Avoid sending prompts to the Agent Panel. Limit the AI Agent's file system access.

**Name of the Vulnerable Software and Affected Versions** Cursor versions prior to 1.3.9 **Description** Cursor, a code editor built for programming with AI, allows writing in-workspace files without user approval in affected versions. Specifically, creating new dotfiles does not require approval, while editing existing ones does. This allows an attacker to chain an indirect prompt injection vulnerability to hijack the context and write to sensitive editor files, such as the `.vscode/settings.json` file, potentially triggering Remote Code Execution (RCE) on the victim's machine without user approval. **Recommendations** Update to version 1.3.9 or later.

**Name of the Vulnerable Software and Affected Versions** Roo Code versions 3.23.18 and below **Description** Roo Code, an AI-powered autonomous coding agent, does not validate line breaks (` `) in its command input. This bypasses the allow-list mechanism due to a lack of parsing or validation logic, potentially enabling command injection. Only the first line or token may be considered during command evaluation, allowing attackers to smuggle additional commands in subsequent lines. **Recommendations** Update to Roo Code version 3.23.19 or later.

Name of the Vulnerable Software and Affected Versions: Roo Code versions prior to 3.22.6 Description: Roo Code is an AI-powered autonomous coding agent. If the victim had "Write" auto-approved, an attacker with the ability to submit prompts to the agent could write to VS Code settings files and trigger code execution. One example is with the `php.validate.executablePath` setting, which lets you set the path for the php executable for syntax validation. The attacker could have written the path to an arbitrary command there and then created a php file to trigger it. Recommendations: For versions prior to 3.22.6, update to version 3.22.6 to resolve the issue. As a temporary workaround, consider disabling the "Write" auto-approved feature until the update is applied. Restrict access to the `php.validate.executablePath` setting to minimize the risk of exploitation. Avoid using the `php.validate.executablePath` setting in VS Code settings files until the issue is resolved.

Name of the Vulnerable Software and Affected Versions: Roo Code versions prior to 3.20.3 Description: The issue concerns the execution of arbitrary commands through the MCP configuration file. An attacker with access to the system could craft a prompt to write a malicious command to the MCP configuration file, potentially leading to arbitrary command execution. This requires the attacker to have the ability to submit prompts, for the user to have MCP enabled, and for the user to have enabled auto-approved file writes. The issue is considered moderate in severity. Recommendations: For versions prior to 3.20.3, update to version 3.20.3 to fix the issue by adding an additional layer of opt-in configuration for auto-approving writing to Roo's configuration files. As a temporary workaround, consider disabling the auto-approve file writes feature to minimize the risk of exploitation. Restrict access to the `.roo/` folder and its contents to prevent unauthorized modifications.

Name of the Vulnerable Software and Affected Versions: Roo Code versions prior to 3.20.3 Description: The issue concerns the Roo Code agent's `search files` tool, which did not respect the setting to disable reads outside of the VS Code workspace. This allowed an attacker who could inject a prompt into the agent to potentially read a sensitive file and write the information to a JSON schema. The feature to fetch schemas is enabled by default in VS Code, and writing to the schema would trigger a network request without user intervention. The issue is of moderate severity, requiring the attacker to already be able to submit prompts to the agent. Recommendations: For versions prior to 3.20.3, update to version 3.20.3 to resolve the issue where the `search files` tool did not respect the setting to limit it to the workspace. As a temporary workaround, consider disabling the `search files` tool or the schema fetching feature in VS Code to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Cursor versions prior to 0.51.0 **Description** The issue allows an attacker to trigger an arbitrary HTTP GET request without user confirmation by writing a JSON file. This could potentially be used to exfiltrate data if a malicious agent gains access, for example, after a successful prompt injection attack. The `json.schemaDownload.enable` setting being set to True by default prior to version 0.51.0 is the root cause. **Recommendations** For versions prior to 0.51.0, update to version 0.51.0 to resolve the issue. As a temporary workaround, consider setting the `json.schemaDownload.enable` setting to False to prevent arbitrary HTTP GET requests.