CVE-2024-45599

Name of the Vulnerable Software and Affected Versions: Cursor versions prior to 0.41.0

Description: The issue affects Cursor, an artificial intelligence code editor, on macOS. If a user has granted Cursor access to the camera or microphone, any program run on the machine can access these devices without explicit permission. This is possible through a DyLib Injection using the DYLD INSERT LIBRARIES environment variable, combined with specific entitlements such as com.apple.security.cs.allow-dyld-environment-variables and com.apple.security.cs.disable-library-validation. The entitlements com.apple.security.device.camera and com.apple.security.device.audio-input allow the application to use the host camera and microphone, respectively. As a result, untrusted code executed on the user's machine can access the camera or microphone if the user has already given permission for Cursor to do so.

Recommendations: For versions prior to 0.41.0, as a temporary workaround, consider not explicitly giving Cursor permission to access the camera or microphone if untrusted users can run arbitrary commands on the affected machine. Update to version 0.41.0 or later, where the entitlements have been split by process to prevent this issue.