CVE-2025-59944

Name of the Vulnerable Software and Affected Versions Cursor versions 1.6.23 and below

Description Cursor IDE has case-sensitive checks when protecting sensitive files, such as /.cursor/mcp.json. This allows attackers to modify these files through prompt injection, potentially leading to remote code execution (RCE). This is possible on case-insensitive file systems. A prompt injection can result in full RCE by modifying sensitive files.

Recommendations Update to version 1.7 or later.