CVE-2025-54130
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-08-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anysphere | cursor | to 1.3.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-NVD-CWE-Other |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54130 is a vulnerability in Cursor versions prior to 1.3.9 where the editor allows writing new dotfiles (hidden files starting with a dot) in the workspace without user approval. While editing existing dotfiles requires approval, creating new ones does not. An attacker can exploit this by chaining a prompt injection vulnerability to create sensitive configuration files like .vscode/settings.json if they don't already exist. This lets the attacker hijack the editor context and execute arbitrary code (RCE) on the victim's machine without their consent. [1]
How can this vulnerability impact me? :
This vulnerability can lead to an attacker executing arbitrary code on your machine without your approval. They can create or modify sensitive editor configuration files to hijack the editor context, potentially changing your default shell or running malicious commands. This impacts the confidentiality, integrity, and availability of your system, allowing unauthorized access and control. [1]