CVE-2025-61593

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Cursor versions 1.7 and below

Description Cursor CLI Agent does not adequately protect its sensitive files, specifically */.cursor/cli.json. This allows attackers to modify the content of these files through prompt injection, potentially leading to remote code execution (RCE). A prompt injection can result in full RCE by modifying sensitive files on case-insensitive filesystems.

Recommendations Update to a version later than 1.7.

Exploit

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-178CWE-94

Related Identifiers

CVE-2025-61593

GHSA-X2VQ-H6V6-JHC6

Affected Products

Cursor

CVE-2025-61593

Weakness Enumeration

Related Identifiers

Affected Products

References · 7