CVE-2025-49150
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-06-11

Last updated on: 2025-06-12

Assigner: GitHub, Inc.

Description
Cursor is a code editor built for programming with AI. Prior to 0.51.0, by default, the setting json.schemaDownload.enable was set to True. This means that by writing a JSON file, an attacker can trigger an arbitrary HTTP GET request that does not require user confirmation. Since the Cursor Agent can edit JSON files, this means a malicious agent, for example, after a prompt injection attack already succeeded, could trigger a GET request to an attacker controlled URL, potentially exfiltrating other data the agent may have access to. This vulnerability is fixed in 0.51.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-11
Last Modified
2025-06-12
Generated
2026-05-07
AI Q&A
2025-06-11
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49150
EUVD
EUVD-2025-18134
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the Cursor Desktop App versions prior to 0.51.0, where the default setting `json.schemaDownload.enable` was True. This setting allows the app to automatically perform arbitrary HTTP GET requests when processing JSON files without user confirmation. If an attacker gains control of the Cursor Agent, for example through a prior prompt injection attack, they can exploit this behavior to trigger HTTP GET requests to attacker-controlled URLs. This could potentially lead to exfiltration of sensitive data accessible to the agent. [1]


How can this vulnerability impact me? :

If exploited, this vulnerability can allow an attacker who has already gained control over the Cursor Agent to make the application send HTTP GET requests to attacker-controlled servers. This can result in the attacker exfiltrating sensitive data that the agent has access to. The attack requires no user interaction and no privileges, but it is complex and requires prior compromise of the agent. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

Detection involves monitoring for unexpected HTTP GET requests initiated by the Cursor application, especially those triggered by JSON file processing. Since the vulnerability allows arbitrary HTTP GET requests without user confirmation, network monitoring tools can be used to identify suspicious outbound requests to unknown or attacker-controlled URLs. On the system, checking the Cursor app version to ensure it is 0.51.0 or later can help detect vulnerable installations. Specific commands are not provided in the resources. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the Cursor Desktop App to version 0.51.0 or later, where the default setting `json.schemaDownload.enable` is disabled, preventing automatic arbitrary HTTP GET requests. Alternatively, if upgrading is not immediately possible, manually disable the `json.schemaDownload.enable` setting to False to block this behavior. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart