cvedb.io
CVE-2025-61592
HIGH · CVSS 8.8
EPSS exploitation probability: 0%
Published 2025-10-03T18:15:36.067 · Last modified 2026-06-17T09:50:36.980

Summary

Cursor is a code editor built for programming with AI. In versions 1.7 and below, automatic loading of project-specific CLI configuration from the current working directory (<project>/.cursor/cli.json) could override certain global configurations in Cursor CLI. This allowed users running the CLI inside a malicious repository to be vulnerable to Remote Code Execution through a combination of permissive configuration (allowing shell commands) and prompt injection delivered via project-specific Rules (<project>/.cursor/rules/rule.mdc) or other mechanisms. The fix for this issue is currently available as a patch 2025.09.17-25b418f. As of October 3, 2025 there is no release version.

Affected products

anysphere — cursor

Does this affect you?

Add your gear to cvedb and we'll alert you only when anysphere ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.