Name of the Vulnerable Software and Affected Versions:

Cursor versions prior to 1.3

Description:

Cursor, a code editor built for programming with AI, allows an attacker to bypass the allow list in auto-run mode using a backtick (`) or $(cmd). This bypass enables arbitrary command execution outside of the allowlist without user approval, provided the user has modified default settings to use an allowlist instead of requiring approval for each terminal call. The issue can be triggered if chained with indirect prompt injection.

Recommendations:

Update to version 1.3 or later.