SecurityWeek

Unpatched Cursor Vulnerability Exposes Users to Code Execution


An unpatched vulnerability in Cursor on Windows can be triggered for code execution when a developer opens a repository in the application, Mindgard reports.

Cursor is one of the most popular AI-assisted development environments, with more than 7 million active users.

The security defect, Mindgard says, is straightforward: when opening a repository, Cursor would automatically execute a malicious git.exe binary in the project’s root without warning the user or asking for approval.

“The vulnerability is not theoretical and does not depend on a complex chain of exploitation, prompt injection, model manipulation, jailbreaks, memory corruption, or sophisticated attacker tradecraft. Exploitation simply requires a developer to open a project containing a git.exe binary in the repository at the root,” Mindgard says.

According to Mindgard, the issue exists because, when loading a project, Cursor looks for Git binaries in multiple locations, including the workspace itself.

“If an attacker planted a malicious git.exe in the repository root, Cursor will execute it automatically as part of its path resolution logic without warning, approval, or even an indication that executable content from the repository is about to run,” Mindgard explains.

Advertisement. Scroll to continue reading.

Mindgard has disclosed the vulnerability publicly after reporting it to Cursor on December 15, 2025, and receiving no response regarding a potential patch for seven months.

The company says Cursor’s CISO invited Mindgard to its bug bounty program on HackerOne in January, where the security defect was resubmitted and confirmed as reproducible, but it has not received a response from Cursor.

“But coordinated disclosure only works when there is coordination. Seven months after initial disclosure, we have no indication that users are being protected, that remediation is underway, or that affected organizations have been informed. And at this point, withholding information no longer serves users; it serves silence,” Mindgard notes.

SecurityWeek has emailed Cursor for a statement on the matter and will update this article if the company responds.

Related: Windows Bind Link Attacks Can Hide Malware From EDR Tools

Related: Vulnerabilities Patched by Fortinet, Ivanti, ServiceNow

Related: Progress Confirms Zero-Day Vulnerability Behind ShareFile Disruption

Related: NIST Opens Updated IoT Security Guidance to Public Review



Source link