CVE-2025-62354

Name of the Vulnerable Software and Affected Versions Cursor (affected versions not specified)

Description An improper neutralization of special elements used in an OS command ('command injection') exists in Cursor. This allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, potentially leading to arbitrary code execution. The issue is described as a critical risk, with a CVSS score of 9.8. The vulnerability bypasses the allowlist entirely, enabling remote code execution without user interaction. The issue is present when Cursor is in autorun mode.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.