CVE-2025-64110
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-05

Last updated on: 2025-11-07

Assigner: GitHub, Inc.

Description
Cursor is a code editor built for programming with AI. In versions 1.7.23 and below, a logic bug allows a malicious agent to read sensitive files that should be protected via cursorignore. An attacker who has already achieved prompt injection, or a malicious model, could create a new cursorignore file which can invalidate the configuration of pre-existing ones. This could allow a malicious agent to read protected files. This issue is fixed in version 2.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-05
Last Modified
2025-11-07
Generated
2026-06-16
AI Q&A
2025-11-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-64110
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
anysphere cursor to 2.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Cursor versions 1.7.23 and below, where a logic bug allows a malicious agent to read sensitive files that should be protected by the cursorignore configuration. An attacker who has already performed prompt injection or a malicious model can create a new cursorignore file that invalidates existing configurations, thereby enabling access to protected files. This issue is fixed in version 2.0.

Impact Analysis

The vulnerability can allow a malicious agent to bypass file protection mechanisms and read sensitive files that should be ignored by the cursorignore configuration. This could lead to unauthorized disclosure of sensitive information, potentially compromising data confidentiality and security.

Mitigation Strategies

Upgrade Cursor to version 2.0 or later, as this version fixes the vulnerability related to the logic bug allowing malicious agents to read protected files by invalidating cursorignore configurations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-64110. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart