Full Report
The latest releases of Cursor and Windsurf integrated development environments are vulnerable to more than 94 known and patched security issues in the Chromium browser and the V8 JavaScript engine. [...]
Analysis Summary
# Vulnerability: Numerous Unpatched Chromium/V8 Flaws in Cursor and Windsurf IDEs
## CVE Details
- CVE ID: CVE-2025-7656 (Specifically mentioned example)
- CVSS Score: Not explicitly provided for the aggregate, but CVE-2025-7656 is a serious V8 engine vulnerability.
- CWE: Types related to Integer Overflow (for the demonstrated CVE) and potentially various others inherited from Chromium.
## Affected Systems
- Products: Cursor IDE, Windsurf IDE
- Versions: Versions relying on outdated Chromium and V8 engines, specifically tracking back to Chromium version 132.0.6834.210 (as of their last update on 2025-03-21 for Cursor version 0.47.9).
- Configurations: Any installation of Cursor or Windsurf utilizing the outdated Electron framework containing vulnerable Chromium/V8 components.
## Vulnerability Description
Cursor and Windsurf IDEs are built using outdated versions of the Electron framework, which embeds old versions of the Chromium browser and the V8 JavaScript engine. This results in the IDEs inheriting at least 94 known and patched vulnerabilities from upstream Chromium/V8 releases that have not been updated since March 21, 2025.
The researchers successfully demonstrated exploitation targeting **CVE-2025-7656**, an integer overflow vulnerability in the V8 engine, which, when triggered via a crafted deeplink, led to a Denial of Service (DoS) crash of the renderer process. Arbitrary code execution is also noted as a potential outcome for real-world attacks utilizing other available flaws.
## Exploitation
- Status: PoC available (Demonstrated for CVE-2025-7656 leading to DoS)
- Complexity: Low to Medium (Specific attack vectors include malicious extensions, injecting code into local documentation/tutorials, or phishing using malicious URLs that trigger the deeplink handler).
- Attack Vector: Network (via crafted URLs/phishing) or potentially Local (via poisoned repositories previewed in the IDE).
## Impact
*Note: Impact is inferred based on known capabilities of similar Chromium/V8 exploits (like CVE-2025-7656).*
- Confidentiality: High (If arbitrary code execution is achieved)
- Integrity: High (If arbitrary code execution is achieved)
- Availability: Medium (DoS via renderer crash demonstrated)
## Remediation
### Patches
- Vendors (Cursor/Windsurf) need to update their embedded Chromium/V8 engines via updating their Electron framework to versions that incorporate security fixes for the 94+ identified CVEs.
- According to the researchers, the latest VS Code versions *are* regularly updated and do not appear to suffer from this specific issue.
### Workarounds
- Users should minimize interaction with untrusted code execution contexts within the IDE (e.g., avoiding opening untrusted project files or code snippets from unknown sources if they automatically render web content).
## Detection
- Indicators of Compromise: Unusual process termination (crashing) of the IDE process, or unexpected network activity originating from the IDE process attempting to connect to remote URLs after handling specific input (like opening specially crafted files or clicking links).
- Detection Methods and Tools: Monitoring for execution patterns associated with known Chromium/V8 exploits targeting the embedded browser process. Since the vulnerabilities are inherited, traditional endpoint detection rules for the specific Chromium CVEs could potentially be adapted.
## References
- Vendor advisories: None provided by Cursor or Windsurf in response to the report (Cursor marked DoS as out of scope).
- Relevant links - defanged:
- Vendor report: hxxps://www.ox.security/blog/94-Vulnerabilities-in-Cursor-and-Windsurf-Put-1-8M-Developers-at-Risk/
- Reference to fixed CVE: hxxps://www.bleepingcomputer.com/news/security/google-fixes-actively-exploited-sandbox-escape-zero-day-in-chrome/