A critical vulnerability has been patched in Cursor, an AI-powered code editor, that could allow an attacker to gain complete remote control of a developer's computer. The multi-stage exploit, discovered by security researcher Johann Rehberger, combined AI manipulation with a sandbox escape to achieve remote code execution (RCE).
The attack could be initiated simply by a developer opening a malicious project file. An attacker would first embed hidden instructions within a seemingly harmless file, such as a README.md. When opened in the IDE, Cursor’s AI assistant would process the file’s contents. These instructions acted as an indirect prompt injection, tricking the AI into executing system commands.
Rehberger discovered that these commands could then bypass the AI's protective sandbox, allowing arbitrary code to run directly on the host machine. To complete the attack chain, the malicious code could activate Cursor’s legitimate remote tunnel feature, establishing a persistent shell and giving the attacker ongoing access to the compromised device.
The impact of such a compromise is severe. A successful attacker could steal proprietary source code, exfiltrate sensitive credentials like API keys and cloud access tokens, or use the developer’s machine as a launchpad to move laterally within a corporate network. The vulnerability highlights a significant software supply chain risk, where developer tools themselves become the vector for an attack.
Rehberger reported the vulnerability to the Cursor team on January 16, 2024. A patch was subsequently released on February 2 in version 0.20.1. All users of the Cursor IDE are advised to update to the latest version immediately to protect against this threat.
