Cursor Agent is vulnerable to prompt injection via MCP Special Files

Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file don't already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9.

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Cursor 安全漏洞

Cursor是Cursor开源的一个 AI 代码编辑器。 Cursor 1.3.9之前版本存在安全漏洞，该漏洞源于允许未经用户批准写入工作区文件，可能导致远程代码执行。

N/A

N/A