Full Report
A weakness in the Cursor code editor exposes developers to the risk of automatically executing tasks in a malicious repository as soon as it's opened. [...]
Analysis Summary
# Vulnerability: Cursor AI Editor Executes Malicious Code on Repository Open
## CVE Details
- CVE ID: Not assigned in the provided text.
- CVSS Score: Not explicitly scored in the provided text.
- CWE: Likely related to CWE-94 (Improper Control of Generation of Code ('Code Injection')) or CWE-78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')) due to arbitrary code execution via configuration files.
## Affected Systems
- Products: Cursor AI editor (IDE)
- Versions: All versions of Cursor where the VS Code Workspace Trust feature is disabled by default (which is the default configuration mentioned).
- Configurations: Default configuration where Workspace Trust is disabled, allowing automatic execution of tasks defined in `.vscode/tasks.json` upon project opening.
## Vulnerability Description
The Cursor AI editor, a fork of VS Code, disables the default VS Code **Workspace Trust** feature. This results in the automatic execution of tasks defined in project configuration files (specifically `_.vscode/tasks.json`) immediately when a developer opens a repository. Threat actors can maliciously place code within this file in a shared repository, which executes upon opening, allowing injection of malware, theft of credentials/API tokens, or environment hijacking without requiring explicit user command execution. VS Code itself is not affected by this behavior in its default configuration.
## Exploitation
- Status: Proof-of-Concept (PoC) available.
- Complexity: Low (Execution occurs automatically upon opening a repository).
- Attack Vector: Network (via malicious repository clone/open).
## Impact
- Confidentiality: High (Can steal sensitive data like credentials and API tokens).
- Integrity: High (Can modify files or introduce malware).
- Availability: Medium (Potential for system compromise affecting availability).
## Remediation
### Patches
- **No vendor patch available.** Cursor has stated they intend to keep the autorun behavior enabled because disabling Workspace Trust is necessary for core AI features.
### Workarounds
1. **Enable Workspace Trust:** Users can manually re-enable the VS Code Workspace Trust security feature within Cursor settings/configuration to restore default safety checks.
2. **Use Alternative Editors:** Use a basic text editor (not Cursor) when opening suspicious or unknown repositories.
3. **Verify Repositories:** Verify the trustworthiness of repositories before opening them in Cursor.
4. **Review Shell Profiles:** Avoid exporting sensitive credentials globally in shell profiles, as this information can be compromised if code execution occurs.
## Detection
- Indicators of Compromise: Unexpected network connections initiated from the local machine upon opening a specific repository, unauthorized modification of local files, or unexpected commands running in the terminal context associated with the IDE.
- Detection methods and tools: Standard endpoint detection and response (EDR) tools monitoring for process execution initiated by the Cursor application context. Manual inspection of `.vscode/tasks.json` files within newly opened projects.
## References
- Vendor Advisory: Cursor has issued statements regarding their stance on Workspace Trust (see Oasis Security report).
- Relevant links: hxxps://www.oasis.security/blog/cursor-security-flaw