CVE-2025-61590 – This vulnerability allows remote code execution... (How to Fix)

Q: What is the severity of CVE-2025-61590?

CVE-2025-61590 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote code execution in Cursor AI code editor versions 1.6 and below through manipulation of Visual Studio Code workspace files. Attackers who compromise the chat context (e.g., via MCP server) can use prompt injection to modify workspace settings, bypassing previous security fixes. Users of Cursor versions 1.6 and earlier are affected.

📋 TL;DR

This vulnerability allows remote code execution in Cursor AI code editor versions 1.6 and below through manipulation of Visual Studio Code workspace files. Attackers who compromise the chat context (e.g., via MCP server) can use prompt injection to modify workspace settings, bypassing previous security fixes. Users of Cursor versions 1.6 and earlier are affected.

💻 Affected Systems

Products:

Cursor AI Code Editor

Versions: Versions 1.6 and below

Operating Systems: Windows, macOS, Linux

Default Config Vulnerable: ⚠️ Yes

Notes: Requires use of VS Code workspace functionality and vulnerable chat context/MCP server configuration.

📦 What is this software?

Cursor by Anysphere

View all CVEs affecting Cursor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise with attacker gaining arbitrary code execution on the victim's machine, potentially leading to data theft, ransomware deployment, or lateral movement.

🟠

Likely Case

Attacker executes malicious code in the context of the Cursor user, potentially stealing sensitive code, credentials, or deploying malware.

🟢

If Mitigated

Limited impact with proper network segmentation and user privilege restrictions, though local code execution remains possible.

🌐 Internet-Facing: MEDIUM - Requires initial compromise of chat context (MCP server) which may be internet-facing, but exploitation requires user interaction.

🏢 Internal Only: MEDIUM - Internal attackers with access to MCP servers or chat contexts could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires initial compromise of chat context (MCP server) and user interaction with malicious workspace file.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 1.7

Vendor Advisory: https://github.com/cursor/cursor/security/advisories/GHSA-xg6w-rmh5-r77r

Restart Required: Yes

Instructions:

1. Open Cursor editor. 2. Go to Help > Check for Updates. 3. Install version 1.7 or later. 4. Restart Cursor.

🔧 Temporary Workarounds

Disable automatic workspace creation

all

Prevent automatic creation of untitled.code-workspace files

Add "files.autoSave": "off" to user settings.json

Restrict MCP server access

all

Limit access to MCP servers to trusted sources only

🧯 If You Can't Patch

Disable Cursor's AI chat functionality entirely
Run Cursor in sandboxed/isolated environment with limited permissions

🔍 How to Verify

Check if Vulnerable:

Check Cursor version in Help > About. If version is 1.6 or lower, you are vulnerable.

Check Version:

On Linux/macOS: cursor --version. On Windows: Check Help > About in GUI.

Verify Fix Applied:

Verify version is 1.7 or higher in Help > About and ensure no suspicious .code-workspace files exist.

📡 Detection & Monitoring

Log Indicators:

Unexpected modifications to .code-workspace files
Suspicious AI chat prompts attempting file writes

Network Indicators:

Unusual connections to MCP servers
Unexpected outbound connections after workspace file modification

SIEM Query:

file_modification:*.code-workspace AND process_name:cursor.exe

📊 Metadata

CVE ID: CVE-2025-61590

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

EPSS Score: 0.25% exploit probability (47.8th percentile)

Published: October 3, 2025

Last Updated: October 17, 2025

🔗 References

https://github.com/cursor/cursor/security/advisories/GHSA-xg6w-rmh5-r77r Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61590, you might also want to check these: