CVE-2025-64110
BaseFortify
Publication date: 2025-11-05
Last updated on: 2025-11-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anysphere | cursor | to 2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Cursor versions 1.7.23 and below, where a logic bug allows a malicious agent to read sensitive files that should be protected by the cursorignore configuration. An attacker who has already performed prompt injection or a malicious model can create a new cursorignore file that invalidates existing configurations, thereby enabling access to protected files. This issue is fixed in version 2.0.
How can this vulnerability impact me? :
The vulnerability can allow a malicious agent to bypass file protection mechanisms and read sensitive files that should be ignored by the cursorignore configuration. This could lead to unauthorized disclosure of sensitive information, potentially compromising data confidentiality and security.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Cursor to version 2.0 or later, as this version fixes the vulnerability related to the logic bug allowing malicious agents to read protected files by invalidating cursorignore configurations.