CVE-2025-9190
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-08-26

Last updated on: 2025-08-26

Assigner: CERT.PL

Description
The configuration of Cursor on macOS, specifically the "RunAsNode" fuse enabled, allows a local attacker with unprivileged access to execute arbitrary code that inherits Cursor TCC (Transparency, Consent, and Control) permissions. Acquired resource access is limited to previously granted permissions by the user. Accessing other resources beyond previously granted TCC permissions will prompt the user for approval in the name of Cursor, potentially disguising attacker's malicious intent. This issue was detected in 15.4.1 version of Cursor. Project maintainers decided not to fix this issue, because a scenario including a local attacker falls outside their defined threat model.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-08-26
Last Modified
2025-08-26
Generated
2026-06-16
AI Q&A
2025-08-26
EPSS Evaluated
2026-06-14
NVD
CVE-2025-9190
EUVD
EUVD-2025-25782
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
cursor cursor *
cursor cursor 15.4.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-276 During installation, installed file permissions are set to allow anyone to modify those files.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-9190 is a vulnerability in the Cursor application on macOS (up to version 15.4.1) caused by the app's configuration with the "RunAsNode" fuse enabled. This setting allows a local attacker with unprivileged access to execute arbitrary code that inherits Cursor's TCC (Transparency, Consent, and Control) permissions. Essentially, the attacker can leverage previously granted permissions to access user files in privacy-protected folders without triggering additional system prompts, potentially disguising malicious actions. The developers chose not to fix this issue as local attacker scenarios fall outside their threat model. [1, 2]

Impact Analysis

This vulnerability can allow a local attacker to execute arbitrary code within Cursor.app that inherits its TCC permissions, enabling access to user files and other privacy-protected resources without additional user consent prompts. This undermines macOS's privacy protections by bypassing TCC safeguards, potentially exposing sensitive data such as files in protected folders, iCloud Drive contents, and other resources Cursor has permission to access. The impact depends on the permissions Cursor has been granted, but it can lead to unauthorized data access and privacy breaches. [1, 2]

Detection Guidance

Detection of CVE-2025-9190 involves identifying if the Cursor application on macOS is running with the 'RunAsNode' fuse enabled, which allows code injection inheriting TCC permissions. Since this is a local vulnerability related to code execution within Cursor, network detection is limited. On the system, you can check if Cursor.app version 15.4.1 or earlier is installed and running with the RunAsNode configuration. Specific commands are not provided in the resources, but monitoring running processes for Cursor running as a Node.js process or inspecting Cursor's configuration files for the RunAsNode fuse setting may help detect exploitation attempts. [1, 2]

Mitigation Strategies

Immediate mitigation steps include avoiding use of Cursor.app versions up to 15.4.1 that enable the RunAsNode fuse, as the developers have no plans to fix this vulnerability. Users should consider removing or disabling Cursor.app or restricting its execution to trusted environments. Additionally, monitoring for suspicious code injection or unexpected processes inheriting Cursor's permissions can help. Since the vulnerability relies on previously granted TCC permissions, reviewing and minimizing Cursor's TCC permissions may reduce risk. Applying macOS security best practices, such as limiting local unprivileged access, can also mitigate exploitation. [1, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-9190. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart