CVE-2025-9190
BaseFortify
Publication date: 2025-08-26
Last updated on: 2025-08-26
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cursor | cursor | * |
| cursor | cursor | 15.4.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-276 | During installation, installed file permissions are set to allow anyone to modify those files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-9190 is a vulnerability in the Cursor application on macOS (up to version 15.4.1) caused by the app's configuration with the "RunAsNode" fuse enabled. This setting allows a local attacker with unprivileged access to execute arbitrary code that inherits Cursor's TCC (Transparency, Consent, and Control) permissions. Essentially, the attacker can leverage previously granted permissions to access user files in privacy-protected folders without triggering additional system prompts, potentially disguising malicious actions. The developers chose not to fix this issue as local attacker scenarios fall outside their threat model. [1, 2]
How can this vulnerability impact me? :
This vulnerability can allow a local attacker to execute arbitrary code within Cursor.app that inherits its TCC permissions, enabling access to user files and other privacy-protected resources without additional user consent prompts. This undermines macOS's privacy protections by bypassing TCC safeguards, potentially exposing sensitive data such as files in protected folders, iCloud Drive contents, and other resources Cursor has permission to access. The impact depends on the permissions Cursor has been granted, but it can lead to unauthorized data access and privacy breaches. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2025-9190 involves identifying if the Cursor application on macOS is running with the 'RunAsNode' fuse enabled, which allows code injection inheriting TCC permissions. Since this is a local vulnerability related to code execution within Cursor, network detection is limited. On the system, you can check if Cursor.app version 15.4.1 or earlier is installed and running with the RunAsNode configuration. Specific commands are not provided in the resources, but monitoring running processes for Cursor running as a Node.js process or inspecting Cursor's configuration files for the RunAsNode fuse setting may help detect exploitation attempts. [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include avoiding use of Cursor.app versions up to 15.4.1 that enable the RunAsNode fuse, as the developers have no plans to fix this vulnerability. Users should consider removing or disabling Cursor.app or restricting its execution to trusted environments. Additionally, monitoring for suspicious code injection or unexpected processes inheriting Cursor's permissions can help. Since the vulnerability relies on previously granted TCC permissions, reviewing and minimizing Cursor's TCC permissions may reduce risk. Applying macOS security best practices, such as limiting local unprivileged access, can also mitigate exploitation. [1, 2]