42 comments

  • Aperocky7 hours ago
    As someone who is on the other side, the amount of familiar, LLM generated reports are overwhelming and usually falls under &quot;not familiar with product design&#x2F;security scope&quot; category. But there are also really good ones - so I can&#x27;t afford to not take actual look at each, but it gets tiring and we need a solution. Spamming the former category with LLM generated &quot;rationale&quot; isn&#x27;t that solution (yes I can tell this article is mostly LLM generated).<p>Unfortunately, this looks like the former case. If the software can execute arbitrary code&#x2F;binary, and you place a malicious binary, that&#x27;s up to you to secure&#x2F;sandbox the workspace, not the software. Unless cursor commit themselves to securing the user environment, which I don&#x27;t think they are in the business of.<p>If you are generating a CVE report with LLM, please use LLM responsibly in helping you reproduce deterministically. Then please do the write up yourself, keep it as concise as possible and strip most adjectives in any LLM generated sections as they cannot help themselves to write without mostly useless exaggerations.
    • hack13124 hours ago
      Opening a freshly cloned repo in Cursor shouldn’t automatically execute a binary within that repo.
      • romanovcode4 hours ago
        We&#x27;re back to autorun.exe times
        • username1354 hours ago
          Time is a flat circle it seems
        • nicman2356 minutes ago
          but it is just a agents.md file lol
      • himata41132 hours ago
        Let me introduce you to jetbrains, vscode and nearly every other IDE that relies on an LSP.<p>Edit: yes I get that there&#x27;s a trust system, but I know a lot of people just trust everything in a directory.
        • DanielHB1 hour ago
          VSCode at least prompts you to trust the project folder before running anything, otherwise it will use a globally installed LSP.
        • tjoff1 hour ago
          What repo-binary is executed for the LSP?
        • andbartol1 hour ago
          Both jetbrains and vscode ask you if you trust the project
    • hughw48 minutes ago
      &gt; If the software can execute arbitrary code&#x2F;binary, and you place a malicious binary, that&#x27;s up to you to secure&#x2F;sandbox the workspace, not the software.<p>What do you think PATH variables are for? Cursor just immediately adds the repo to your PATH, iiuc, without user approval.
    • f311a4 hours ago
      &gt; But there are also really good ones - so I can&#x27;t afford to not take actual look at each, but it gets tiring and we need a solution.<p>There is not easy solution, the landscape has changed and if care about security, you just need to allocate more human resources. Another layer of LLM checks won&#x27;t help.
  • lemagedurage5 hours ago
    The problem seems to be deeper rooted. Cursor doesn&#x27;t see cloning a repo with Cursor and code execution as separate security boundaries.<p>Cursor ships with Workspace Trust disabled by default [0]. A repo that includes .vscode&#x2F;tasks.json with &quot;runOn&quot;: &quot;folderOpen&quot; will already run arbitrary code [1].<p>[0] <a href="https:&#x2F;&#x2F;cursor.com&#x2F;docs&#x2F;agent&#x2F;security#workspace-trust" rel="nofollow">https:&#x2F;&#x2F;cursor.com&#x2F;docs&#x2F;agent&#x2F;security#workspace-trust</a><p>[1] <a href="https:&#x2F;&#x2F;www.oasis.security&#x2F;blog&#x2F;cursor-security-flaw" rel="nofollow">https:&#x2F;&#x2F;www.oasis.security&#x2F;blog&#x2F;cursor-security-flaw</a>
  • wxw13 hours ago
    &gt; The vulnerability was first identified by Mindgard on December 15, 2025. We reported it the same day and multiple times since. More than six months and 197+ new versions later, the issue remains present in the latest tested version of Cursor.<p>&gt; The report was initially closed as Informative and out of scope. After we challenged that determination, HackerOne reopened the report, reproduced the issue, and confirmed that the details had been delivered to Cursor. And then everything stopped. Requests for updates went unanswered, additional follow-ups received no response, escalation through HackerOne produced no meaningful engagement, and direct outreach to Cursor leadership yielded the same result: no response.<p>Really unfortunate. I don&#x27;t understand why there&#x27;s such a lack of response on the Cursor side.
    • app1313 hours ago
      The CVE process itself is broken. HackerOne and company VDPs are inundated with new reports of varying quality thanks to the advancements (I think) in agentic AI. It&#x27;s allowed for both an increase in trash-tier low quality AND legitimately high quality reports. Since the same AI&#x27;s are writing both, its almost impossible to distinguish between the two at a surface level.<p>In response, companies just aren&#x27;t responding like they used to. I spoke at a cybersecurity conference In June and the overwhelming &quot;vibe&quot; on the floor and in the talks was that responsible disclosure was dead or dying, and public disclosure is the way forward. The Microsoft and Nightmare Eclipse situation was oft cited.
      • demosthanos11 hours ago
        As someone on the company response side of the HackerOne brokenness, I can confirm that this effect is real but would also note that the difficulty of distinguishing is not as severe as all that, because the companies have access to the source code which the researchers do not typically have access to.<p>This means that the token cost of verifying any given HackerOne report is dramatically lower than the token cost of producing a report in the first place. Automated triage systems should be possible, and realistically it&#x27;s well within the capabilities of most companies to go further and actually automate the Red Team side of it and catch issues before they surface in the black box research. From what I&#x27;ve seen doing so should cost dramatically less in tokens than the bounty payouts do.<p>The problem is that security is woefully underfunded in most companies, so even an infosec organization that saw the deluge approaching from a distance may well not have had the resources to prep for it even if they knew exactly what actions they would take if they had the capacity.
        • infinite_spin8 hours ago
          Do you have a tier based system for identifying high value reporters? Like a credit score for vulnerability hunters?
          • demosthanos7 hours ago
            Not formally, but we do informally recognize names and prioritize researchers who reliably turn up good results.
            • infinite_spin6 hours ago
              that might be a nice incentive for bounty hunters, a sign of recognition and a good metric for triage
        • QuadmasterXLII10 hours ago
          The token cost of a report is lower bounded by the number of tokens in the report * price per token of the cheapest model. The token cost of a good report is much higher, but sifting out the good reports is the entire problem.
          • demosthanos8 hours ago
            In theory, yes, but are you actually seeing clearly-garbage lower-bound reports like this?<p>The ones we&#x27;re seeing show clear evidence of being AI-generated, are often incorrect or duplicated, but they also show clear evidence of the AI having done its homework and spent a while crawling our API.<p>Even if we were getting reports at the lower bound you&#x27;re describing, those would be even easier to triage: just add a quick step to check if the API in question even exists, then if it does that very cheap &quot;where is this API&quot; query becomes part of the input to the second-level triage that spends more tokens.
      • sandeepkd8 hours ago
        Should a company promoting the enterprise usability of AI, itself start with building a intake process to distinguish between the noise and signal for these reports. If you cant solve your own problems with your product then how do you expect the customers to be able to use it.
      • pseudohadamard6 hours ago
        Not even that. Even before AI came along the widespread practice of CV-Enhancement was slowly strangling the reporting of actual legitimate, needs-to-be-fixed issues. When it turns into a giant shit-shovelling exercise it&#x27;s not surprising that some of the shit doesn&#x27;t get shovelled.<p>Not defending HackerOne, but pointing out that it&#x27;s not a black-and-white issue.
    • sofixa13 hours ago
      &gt; Really unfortunate. I don&#x27;t understand why there&#x27;s such a lack of response on the Cursor side.<p>It&#x27;s hard to vibe code security.
      • koolba11 hours ago
        Is it though? Cause you can have an agent analyze the reports to filter out the wheat from the chaff.
        • thayne4 hours ago
          I suspect that is exactly what cursor did, and the agent (incorrectly) categorized this as chaff.
      • petesergeant5 hours ago
        &gt; It&#x27;s hard to vibe code security.<p>Conversely, running human or LLM-generated code through multiple LLMs to look for security holes is a fantastic way to increase security.
    • buran7713 hours ago
      &gt; I don&#x27;t understand why there&#x27;s such a lack of response on the Cursor side.<p>Too busy being acquired by SpaceX?
    • solid_fuel12 hours ago
      [flagged]
      • manacit12 hours ago
        ...that&#x27;s Anthropic?
    • _AzMoo13 hours ago
      It screams intentional to me.
    • khurs12 hours ago
      Perhaps its a intentional back door?<p>NSA&#x2F;FBI puts a git.exe in GitHub for a target. Target pulls the repo and it executes the payload.<p>As Cursor is&#x2F;was based on VS Code, does it happen in VS Code too?
      • oceansweep12 hours ago
        It’s a thing in VSCode as well&#x2F;has been a thing or things similar to it : <a href="https:&#x2F;&#x2F;www.threatlocker.com&#x2F;blog&#x2F;malicious-vs-code-tasks-json-abuse-enables-multi-stage-infostealer-deployment" rel="nofollow">https:&#x2F;&#x2F;www.threatlocker.com&#x2F;blog&#x2F;malicious-vs-code-tasks-js...</a> (2026)<p><a href="https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;programming&#x2F;comments&#x2F;zes1co&#x2F;visual_studio_code_remote_code_execution_advisory&#x2F;" rel="nofollow">https:&#x2F;&#x2F;www.reddit.com&#x2F;r&#x2F;programming&#x2F;comments&#x2F;zes1co&#x2F;visual_...</a> (2022)
        • ivirshup10 hours ago
          I think those are both different in that they require the user to say they trust this code. Additionally the first is arguably not a bug (the code in tasks.json will indeed run if you say you trust the project) and the second was reported and fixed within two months.
          • oceansweep7 hours ago
            Yes, my point was more so the underlying behavior of automatic execution of binaries associated with&#x2F;inside of a git project exists already within vscode as a pattern, and so seeing cursor doing the same wouldn&#x27;t be surprising.
  • jjcm13 hours ago
    I&#x27;m not sure I fully agree with this being a major vuln. There&#x27;s a lot of up front scary text which was raising a lot of red flags until it actually discussed the &quot;what&quot;.<p>An actor has to place a malicious .exe in the user&#x27;s code folder, named git.exe, for this to take place.<p>I see this akin to something like saying &quot;replacing their .bashrc with an alias that says `ls` instead executes `&#x2F;tmp&#x2F;mega-big-virus.sh` is a vuln&quot;.<p>Yes it&#x27;s a vector, but if they&#x27;ve placed something in your filesystem like that already, you&#x27;ve already been compromised.
    • shitter13 hours ago
      The user&#x27;s code folder? You mean the code I frequently pull from untrusted sources, unlike my .bashrc? Opening a GitHub project for review should not mean arbitrary code execution.<p>Of course, that ship has long sailed, for all major IDEs. Heck, VSCode SSH and devcontainer remotes allow RCE by design.
      • paxys11 hours ago
        The entire point of Cursor is to run autonomous coding agents. You are giving it a random untrusted repo, saying &quot;hey it might have a virus, go crazy&quot; and then getting mad that it caused harm?<p>Check (and double check and triple check) your sources. If a malicious executable made it to your computer it is already too late.
        • shitter10 hours ago
          ? Doesn’t the code exec happen upon merely launching Cursor against a repository, without giving an agent any tasks? That’s clearly an issue at the Cursor application level, not some inevitable risk caused by the non-deterministic nature of LLMs. You can’t use the latter fact to excuse the former mistake<p>Not to mention that Cursor has an agent permissions model that this presumably sidesteps!
          • cute_boi8 hours ago
            I agree cursor can fix the issue, but the main issue is downloading anything from untrusted source. The repo may have AGENTS.md which can tell please install npm package from random repo and run pnpm start etc...<p>We should never ever download any pdf or excel macros etc.. from untrusted source.
        • brookst6 hours ago
          Different layers, different risks.<p>You do not expect an agent-level app to run untrusted binaries. You expect prompt injection, etc.<p>And I don&#x27;t at all agree that a malicious executable landing in some directory is already game over. Plenty of zip files have malicious executables, it doesn&#x27;t mean you say &quot;oh, my zip extractor should just run every executable because if one&#x27;s bad I&#x27;m already toast&quot;.
          • xeyownt2 hours ago
            Ok, so you download the repo, launch Cursor, it compiles code and run it (if not, why do you even use Cursor at the first place?). Same effect.
        • thewhitetulip9 hours ago
          Cursor is used for vibe coding. There are people who used Cursor to build a webapp where passwords are printed on the front page<p>So yeah, this is a major issue
      • taneq12 hours ago
        I’ve never got my head around how it’s apparently the done thing these days to just copy a bash command from a website and run it (sometimes with sudo! O.o ) to install software. I somewhat naively hope that this is because everyone is pushing single purpose VMs for that kind of install, but really I know better.
        • petalmind11 hours ago
          &gt; to just copy a bash command from a website and run it (sometimes with sudo! O.o ) to install software.<p>how is that different from the good old days of<p><pre><code> wget ftp:&#x2F;&#x2F;ftp.something.org&#x2F;software-2.10.tar.gz tar zxfv .&#x2F;configure make sudo make install ?</code></pre>
          • Terr_11 hours ago
            Training people (esp. what passes for non-techies on Linux) to regularly copy-paste into the terminal is massively riskier than &quot;click this URL&quot;. Just for starters, consider how easily you can make a web-page where you highlight X to copy it, but instead Y is delivered to your clipboard. Then on execute it could even redraw the terminal to pretend you pasted X all along.<p>Also, there&#x27;s a convention or social-contract that everyone who downloads 2.10 <i>ought</i> to get precisely the same thing. This provides a foundation for other facets of security, like &quot;it must have an expected hash&quot; or &quot;it must validate as signed by this public key&quot;. Also investigative actions like discovering <i>when</i> something suspicious got added, or detecting that the installer is trying to access the internet when it really shouldn&#x27;t be.
            • mh-9 hours ago
              <i>&gt; Then on execute it could even redraw the terminal to pretend you pasted X all along.</i><p>Diabolical idea. Anyone know if there&#x27;s been anything in the wild that did this?
          • uecker5 hours ago
            Not much, and people also should not to do this. One should at least have a check of hash of the download vs some document signed with a key.<p>In any case, the curl|bash from a website is way worse as it leaves no trace. Here, you have an artifact, and multiple steps, so the probability that an issue can be detected is higher and when someone gets compromises one has a change to figure out what happened and warn others. (so good practice to copy the file somewhere else). People look at this only from purely &quot;can I get compromised&quot; perspective, but overlook this community aspect.
          • taneq10 hours ago
            They’re both executing unknown code, but hopefully the ftp site here is at least a trusted one, and if you feel paranoid you can verify the archive’s hash to help verify it hasn’t been monkeyed with.<p>Also the archive probably won’t go and fetch a bunch of other scripts and run them (probably…) while doing so is usually the script’s primary purpose. So you’re not just trusting the people who published the script, at the time they published it. You’re trusting them and everyone they trust to <i>still</i> be good actors <i>now</i>.<p>That’s different to it being the standard way to install self-published bundles of scripts from all over the internet.
        • paxys11 hours ago
          How is it different from downloading and running the application itself from that website?
          • xeyownt2 hours ago
            The illusion of security.
    • mort968 hours ago
      The very first paragraph of text presented to the reader on the page start with:<p><pre><code> After loading a project, Cursor attempts to find git binaries at various locations including the current workspace. By creating a repository with a planted malicious git.exe in the root, the IDE will execute it with no user interaction and no prompting of the user. </code></pre> This is a remarkably straightforward 2 sentence explanation of the issue (the &quot;what&quot;). They&#x27;re not exactly hiding it.
    • arcticfox13 hours ago
      I am not at all a security expert, but isn&#x27;t this akin to giving a repo-owner RCE if you just clone their repository and open it? I feel like that&#x27;s not an implied contract for opening a folder in your IDE.
    • zeroq13 hours ago
      This is very similar to 30yo exploit in which you placed an alternative, infected dll inside a folder with mp3s (winamp), or photos (windows picture viewer).
      • datakan13 hours ago
        It’s Windows autorun all over again. What was old is new again.
    • Shorel5 hours ago
      It is a very obvious thing in UNIX world. This should not happen, no matter if it&#x27;s Cursor or VIM or whatever program you are using. So, yes, it is a serious issue, and it&#x27;s more of a Windows fuckup than Cursor itself. It&#x27;s basic OS behaviour that&#x27;s been fixed in UNIX for decades. You want to run a program in the current folder, you write .&#x2F;program, everyone know this.
    • inigyou12 hours ago
      Cloning a repo owns your computer. Is that something you expected?
      • xeyownt2 hours ago
        That&#x27;s not what&#x27;s happening.<p>Using AI tool over that repo does, but you have to launch it before the AV kicks in.
    • _AzMoo13 hours ago
      This attack is exactly why IDE&#x27;s have a concept of trusted and untrusted locations.
      • paxys11 hours ago
        That is a very recent addition. The exact behavior they are describing was in VS Code for almost a decade.
        • _AzMoo10 hours ago
          Trusted locations were added to VSCode in 2021.<p><a href="https:&#x2F;&#x2F;code.visualstudio.com&#x2F;updates&#x2F;v1_57" rel="nofollow">https:&#x2F;&#x2F;code.visualstudio.com&#x2F;updates&#x2F;v1_57</a>
          • paxys10 hours ago
            And VS Code was released in 2015.
            • ikiris5 hours ago
              And this is 2026
      • cute_boi7 hours ago
        I think many people gets tired so much they will simply trust all the locations.
    • melodyogonna2 hours ago
      People are offloading a lot of responsibilities to tools. If you pull a repository from Github without doing due diligence then you can&#x27;t blame Cursor for getting compromised
    • beart13 hours ago
      This doesn&#x27;t require anyone placing anything deliberately on your machine (as in, needing to exploit it somehow ahead of time). It could be as simple as checking out a branch to review, where the author of the branch has added the .exe.
      • Xirdus12 hours ago
        I&#x27;d say checking out a malicious branch is in the same category as downloading a malicious attachment. By which I mean, it&#x27;s kinda on you.
        • beart10 hours ago
          Okay... but when &quot;you&quot; is a junior engineer on your team and now you are suddenly spending your entire weekend dealing with malware, it&#x27;s kinda on <i>you</i> as well.
        • krater2312 hours ago
          Downloading this attachement doesn&#x27;t executes it. Checking out a branch in this case executes the file in the branch. Thats a big difference.
          • dev_daftly8 hours ago
            In this case, if you just run a git command yourself it executes the file as well.
            • brookst6 hours ago
              On windows I guess?<p>On Linux and MacOS you&#x27;d need to run .&#x2F;git to execute a malicious binary in the cloned repo.
    • libeclipse12 hours ago
      Bro thinks cloning a repo means you&#x27;re already compromised
    • spullara10 hours ago
      I agree, this isn&#x27;t a vulnerability at all. Now that it&#x27;s public, I&#x27;m not even sure I would do anything about it if I were them.
      • jeremyjh10 hours ago
        You think opening a git repo I just cloned should execute code in that repo?
        • x3n0ph3n38 hours ago
          Maybe powershell shouldn&#x27;t include the current directory in the PATH.
  • Illniyar14 hours ago
    It&#x27;s pretty weird for cursor to run arbitrary exe file without prompting, and alarming that the researchers did not get a proper response for months.<p>But the example with calculator is a bit misleading I think, you&#x27;ll have to have a malicious exe already in the system and downloaded, and if cursor tried to run my understanding is that ACL should immediately kick in and you&#x27;ll be asked for permission to run a new, unsigned app for the first time.<p>You&#x27;ll have to have ACL disabled completely for this to be exploitable.
    • shitter13 hours ago
      And what&#x27;ll the prompt say? &quot;Do you want to run git.exe?&quot;? I&#x27;ll probably assume Cursor needs to run git but permissions got messed up somewhere and click right through that.<p>I haven&#x27;t used Windows in a while so pardon if I&#x27;m missing something.
      • Illniyar6 hours ago
        Ostensibly you&#x27;ve ran git before and never saw something like that, seeing a security warning on running git should raise some eyebrows.
      • jofzar8 hours ago
        I&#x27;m not a windows developer or a ide developer, but I would check the hash against known good git.exe and then only run if it matches it.
    • x3n0ph3n313 hours ago
      Same thing happens if I have a:<p>1) PS1 that displays the current git branch<p>2) Include the current directory in my PATH<p>Should we file a high severity CVE with bash now?
      • loumf13 hours ago
        It’s been known for decades that you should never put your current directory in your PATH. There are endless opportunities for vulnerabilities then. I learned this in college in the 80’s (by not following it and getting owned).
        • x3n0ph3n37 hours ago
          Yet PowerShell does it by default.
          • julianz7 hours ago
            I don&#x27;t think it does?<p><pre><code> &gt; cd C:\Temp &gt; copy &quot;C:\Program Files\Git\bin\git.exe&quot; .\fred.exe &gt; fred fred: The term &#x27;fred&#x27; is not recognized as a name of a cmdlet, function, script file, or executable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.</code></pre>
      • jwolfe13 hours ago
        If bash placed the current directory in your PATH by default, then yes.
        • lyu0728211 hours ago
          Could file a CVE with Microsoft then, cause thats kinda what cmd.exe is doing:<p><pre><code> &gt; git clone git:&#x2F;&#x2F;evil evil &gt; cd evil\ &gt; git status </code></pre> The last line would execute git.exe from the cloned repo, wouldn&#x27;t it?
          • frabera1 hour ago
            No, `git` uses the binary in path, to use the repo file it should be `.&#x2F;git.exe`
            • kubanczyk1 hour ago
              On Linux.<p>Look for `NoDefaultCurrentDirectoryInExePath` if you want to learn about Windows.
      • Firehawke12 hours ago
        Not with bash. If your distro is putting .&#x2F; into the path then that&#x27;s absolutely a high severity CVE with your distro&#x27;s config.
      • shitter13 hours ago
        I would file a CVE for any program that places untrusted content into PATH and invokes non-fully qualified executable names - not for the shell.
  • bragr13 hours ago
    I think this is slightly less of a Cursor bug than a bit of a Windows quirk: Windows searches the current working directory for executables before resorting to the path variable. I imagine a lot of stuff is vulnerable to such an &quot;attack&quot; on Windows.
    • ncruces10 hours ago
      Stuff that cares about security fixes this, though:<p><a href="https:&#x2F;&#x2F;go.dev&#x2F;blog&#x2F;path-security" rel="nofollow">https:&#x2F;&#x2F;go.dev&#x2F;blog&#x2F;path-security</a><p><i>The functions Command and LookPath look for a program in the directories listed in the current path, following the conventions of the host operating system. Operating systems have for decades included the current directory in this search, sometimes implicitly and sometimes configured explicitly that way by default. Modern practice is that including the current directory is usually unexpected and often leads to security problems.</i><p><a href="https:&#x2F;&#x2F;pkg.go.dev&#x2F;os&#x2F;exec#hdr-Executables_in_the_current_directory" rel="nofollow">https:&#x2F;&#x2F;pkg.go.dev&#x2F;os&#x2F;exec#hdr-Executables_in_the_current_di...</a>
    • shitter13 hours ago
      Yeah, but you can easily mitigate it by searching for the real git in known system locations and using whatever you find there (or allowing the user to configure the path). I believe that&#x27;s how VSCode does it
    • Chu4eeno13 hours ago
      Yes, but it&#x27;s an old known security gotcha people developing for Wintendo have to guard against.
    • whateveracct12 hours ago
      that sounds like Cursor has a bug and vuln on Windows to me
  • firer14 hours ago
    All too common... It&#x27;s sad yet understandable how a company would not prioritize security.<p>At the same time, it&#x27;s also understandable how a security start-up, upon (rightly) getting fed up waiting, decide to publicly disclose, as a way to scrape some PR out of the sunk cost. Public disclosure has a place. But if you truly care about helping, you could do more than bumping on HackerOne and messaging the CISO once on LinkedIn.<p>Maybe I&#x27;m too cynical but it truly feels like nobody actually cares at this point.
    • orphereus13 hours ago
      This comment is so weird. It is so vague to me and feels so off, like an alien from Men in Black trying to pass as a human.<p>How do they not truly care about helping? Also what sunk cost? What does that mean?
      • firer13 hours ago
        Hah, not trying to pass off as human. Just communicating with my fellow men in black ;)<p>To be as explicit as possible: whether disclosing this publicly actually did more good then harm is not that clear cut. Even if accounting for all the second order effects.<p>Regardless, as a business you&#x27;d still be compelled to publish, because you&#x27;ve already poured resources into this research, there&#x27;s still a chance to gain something, and there is enough plausible deniability about your true priorities.
  • dools7 hours ago
    Given the fact that people frequently give their coding agents permission to pull and push from git, this is a massive vector for supply chain attack. Some cursor instance you left running on a project has an agent that wants to grab the latest project files, some attacker has compromised some project and put their exe into it and X00,000 of people are all of a sudden running random EXE as the primary user
  • minraws14 hours ago
    Why is cursor subsequently executing anything? Like what is this black magic they want to do? I want to know the decision tree here? Was this cursor coded?<p>I do not understand the point, btw vim has had similar issues with it executing stuff you might not expect by loading a file but it was obviously a vim feature with %{expr}. But why specifically git.exe , this seems like the most redundant bug cve which could have been trivially patched, who does this feature help exactly?<p>I am not really a user of cursor never used it for even a single day, but at this point I am curious why this exists...
    • evolve-maz13 hours ago
      Here&#x27;s a common workflow:<p>- Ask cursor to summarize your existing repo to write you a nice readme<p>- Cursor opens repo<p>- Cursor looks at current code<p>- Because it&#x27;s going above and beyond, it also wants to give you some metadata about the code (other branches for things in development, maybe previous tags as milestones, etc)<p>- To do that, it runs some git commands<p>Now the malicious behavior. I ask Cursor to evaluate some remote repo. It clones it down and then runs the git command from the working directory. However, if you just call &quot;git ...&quot; from the command line there is ambiguity about that. What if there&#x27;s already a git file in the directory which windows thinks you want to execute?<p>This could happen with an untrusted repo. Or could happen from you switching branches to a compromised branch (which you wouldn&#x27;t expect to immediately run some code).<p>Normal way to handle this is using fully qualified path names for things. E.g. instead of git ... you give the full path to system installed git. Annoying for humans to type but trivial for Cursor.
    • SpicyLemonZest14 hours ago
      Presumably it&#x27;s trying to find the user&#x27;s actual Git so that the built-in agent can load context on different branches, worktrees, etc. Of course there are less vulnerable ways to do that, but this kind of mildly justified hackiness is exactly where I&#x27;d expect an AI-assisted workflow to go wrong (and an AI-assisted bug triage to fail to alarm).
  • ajhenrydev15 hours ago
    This report reads a bit like AI writing :&#x2F;<p>You need to have an already malicious payload on your pc to make this exploit work (via clone&#x2F;download&#x2F;magic). I can understand the severity of the exploit but at the same time I’d hope to not have to run into this situation for it to happen in the first place
    • gene9115 hours ago
      Modern day code agents would clone a repo and read the code when you ask it a question about an API that’s not clearly documented. This vulnerability is real.
      • paxys11 hours ago
        This is exactly why every AI agent should run in a sandbox.
      • TZubiri6 hours ago
        Don&#x27;t think that would trigger the bug, it needs to be at the repo root when the user opens the agent CLI, it&#x27;s not like the agent is calling another agent CLI process with the new repo root as its project root.
    • AntonyGarand15 hours ago
      The malicious payload can live on the remote: `git clone` a repo, open it with cursor, and you&#x27;re compromised
      • 4ndrewl13 hours ago
        It&#x27;s curious the number of people here who can&#x27;t link these two things.
      • dev_daftly8 hours ago
        git clone a repo, cd into the directory, git checkout ..., and you&#x27;re compromised
    • dalemhurley14 hours ago
      If your an opensource developer you may get a pull request containing the the git.exe
    • ryanisnan13 hours ago
      Uh, I don&#x27;t think people typically associate downloading a repository, and viewing the source, as being synonymous with activating a malicious payload. <i>That</i> is the bit that&#x27;s concerning.<p>I&#x27;m also so tired of people groaning about AI writing, yes, it&#x27;s annoying, but attack the message, not the messenger.
    • pixl9715 hours ago
      &gt;You need to have an already malicious payload on your pc to make this exploit work<p>Uh, no, not exactly from what I&#x27;m reading.<p>At least from my piss poor understanding of it, you could possibly prompt inject something like &quot;download <a href="https:&#x2F;&#x2F;github.com&#x2F;hackmycursor&#x2F;exploit.git" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;hackmycursor&#x2F;exploit.git</a>&quot;. Would an agent do this, I&#x27;m unsure, but if so, it would download the git.exe and execute it.
      • trollbridge15 hours ago
        This has been a problem with agent harnesses for as long as I&#x27;ve used them - prompting them to retrieve something often results in them going the extra mile and running and installing it.
    • ribs13 hours ago
      I think you’ve got it wrong; no malicious payload need be on your box already. That’s not what the article says.
    • JMKH4215 hours ago
      wouldn&#x27;t the attack vector be like this:<p>I find a github repo, I want to contribute to it. I clone it, open up cursor, make an edit, commit, and boom, I am infected.
      • skeledrew14 hours ago
        From my reading, boom happens at &quot;open up cursor&quot;.
      • dev_daftly11 hours ago
        You can leave out cursor and it would do the same thing.
      • Illniyar14 hours ago
        you would only need to open it to be exploited, not edit or prompt. Allegedly
        • dalemhurley14 hours ago
          From the article it occurs when Cursor is loaded. iDEs do a lot of stuff when they first open.
  • dclowd990114 hours ago
    This draws to mind the dialog that opens when you open a new project in Cursor (and VSCode too, I think), where the IDE asks the user if they trust the project they&#x27;re opening. Is Cursor under the impression that this is sufficient security apparatus?
    • shitter13 hours ago
      Since there are no approval dialogs, it sounds like that doesn&#x27;t even come into play here. That is the &quot;gate&quot; (to use the AI parlance) that Microsoft places on code execution in workspaces, though, and I would expect Cursor to at minimum fix this to only execute git.exe in trusted workspaces.
    • alansaber13 hours ago
      Startups historically are not the most security oriented
  • hmokiguess11 hours ago
    The 0 day vulnerability is actually a developer is using Windows
  • aliasxneo15 hours ago
    I&#x27;m struggling to understand the process that went into this &quot;feature&quot; existing. It seems the most likely candidate is a developer&#x27;s git started malfunctioning and an agent &quot;fixed&quot; it by dropping a `git.exe` in the repo and then conditionally calling it when it exists.
    • gruez15 hours ago
      &gt;It seems the most likely candidate is a developer&#x27;s git started malfunctioning and an agent &quot;fixed&quot; it by dropping a `git.exe` in the repo and then conditionally calling it when it exists.<p>It doesn&#x27;t need to be that deliberate. The default shell on windows (cmd.exe) includes the current directory into PATH by default. In other words, you don&#x27;t need to do `.&#x2F;program.exe`, `program.exe` would suffice. That&#x27;s probably where the bug came from. This also means if you were using cmd.exe, ran `git clone`, went inside it, then executed any command (eg. dir or git) you could get pwned.
      • drdexebtjl15 hours ago
        Windows doesn’t really have a default login shell like Unix.<p>Windows Terminal defaults to PowerShell which does not suffer from this issue.
        • inigyou11 hours ago
          Windows has a default login shell which is explorer.exe.<p>Windows also has a system(const char*) which certainly does <i>something.</i>
    • varenc7 hours ago
      I doubt it. This is just normal Windows behavior. If you call out to a shell and have it run a `git` command the system has to decide where the git binary is. A quirk of Windows is that first it searches the current directory for a `git` executable, and then it searches directories defined in PATH. If there&#x27;s an executable git.exe in the current dir, that gets ran. I assume Cursor&#x27;s behavior is the same across platforms but this is only a Windows vuln because Windows picks binaries in the current directory before PATH.<p>A Windows user purely using the CMD shell, not Cursor, that checked out a malicious repo, went to that repo, and then ran any `git` command in that repo could be hacked the same way.
    • conartist615 hours ago
      and ever since, this approach has been a critical pathway for some billion dollar business probably. hooray
      • pixl9715 hours ago
        I see you also work in enterprise software.
  • imglorp11 hours ago
    This is exactly why Unix PATH (and offspring) does not contain &quot;.&quot; by default. If you unpack an untrusted archive and run &quot;ls&quot; you could get popped.<p>Agents should be no different.
    • nickelpro11 hours ago
      They aren&#x27;t. This is a Windows quirk. Most IDE extensions which interface with git (or any other CLI program) from the CWD are &quot;vulnerable&quot; to the same attack.<p>This is why the upstream didn&#x27;t take it seriously, this has been known for literal decades.
  • noisy_boy3 hours ago
    I am not certain about Windows but on Linux, aren&#x27;t applications supposed to use PATH based resolution provided by shell for this? Why go to the root of the project directory at all looking for binaries? Because it has been become their favorite place due to readme &#x2F; skills etc being there?
  • dhpe8 hours ago
    There&#x27;s discussion whether this is a vuln. While some responsibility should be on the user to already having downloaded a malicious binary, I think it&#x27;s poor default behavior from cursor to run git from the repo root. Is it really a use case to have git.exe in a git repo — more like a red flag.
    • cute_boi8 hours ago
      &gt; While some responsibility should be on the user<p>User should always be responsible before downloading pdf, excel and its macros. There are so many way things can get infected..
      • brookst6 hours ago
        When you clone a git repo, do you check whether there are PDFs in it?
      • TZubiri6 hours ago
        Critical difference is that PDF is a data file, while a git.exe is an executable marked to the OS as executable.
  • theaniketmaurya45 minutes ago
    First grok cli and now this
  • nosefrog15 hours ago
    Would be nice if the timeline matched up with the text of the blog post (missing &quot;HackerOne provides disclosure guidance&quot;).
  • dhosek9 hours ago
    Isn’t this a Windows flaw where it effectively treats the current directory as the head of the path? (I remember the naïve olden days of people’s Unix Path starting with .) Or is Cursor going out of its way to execute a git.exe in the current directory?
  • aniceperson13 hours ago
    damn those ai written Blogs are tiring. o a single paragraph saying that &quot;cursor o windows loads .&#x2F;git.exe with higher precedence&quot; would be enough.
  • 3plefly7 hours ago
    Has anyone tried to replicate this? I copied my calculator app and renamed it to git.exe, put it in a few repositories, openned cursor with those repositroies loaded, even prompted cursor to scan the repository, to which it said it saw the git.exe (&quot;Accidental binary — delete it, don’t commit&quot;), but nothing was executed to my knowledge
    • SV_BubbleTime7 hours ago
      I mean… is our idea of repeatability really ready for subjective actions from LLMs?<p>We spent like ALL the years making sure computer would always give repeatable objective deterministic answers… then one day we’re nah fuck that I want a slot machine!!<p>With tightly coupled agents, how could you ever really prove that it is or isn’t a problem?<p>Try and fuzz I guess? But in a many billion parameter model that seems like you could never really be sure either.<p>One day the LLM could just decide, “oh, I’ll run this git.exe!”
      • brookst6 hours ago
        The vuln is supposedly in the cursor IDE, not an LLM-mediated iteraction
  • physix10 hours ago
    Wouldn&#x27;t this be something a virus scanner would detect and quarantine?<p>Not an active Windows user, but I can&#x27;t imagine any sane person working on Windows OS without malware protection.
  • varenc7 hours ago
    On Windows, if your shell was in a malicious repo&#x27;s directory and you ran any &quot;git&quot; command, wouldn&#x27;t the behavior be the same? Binaries in the current directory are considered before PATH. This seems like a broader issue.<p>That said, Cursor should at least have some &quot;trust this directory?&quot; dialogue.
    • psd154 minutes ago
      Not in powershell, no, because . is not in PATH (unless you put it there).<p>If you tab-complete `git` it will resolve to `.\git.exe` but it you merely hit enter then it will search PATH and not the CD.
  • paxys11 hours ago
    Clone a repo and run &quot;npm install&quot; and the exact same thing will happen. You can say &quot;oh I would never run npm install on a repo I don&#x27;t trust&quot;...but then why are you cloning it and opening it in an IDE in the first place? <i>Especially</i> an IDE whose entire purpose is to run autonomous coding agents?
    • AussieWog9311 hours ago
      The difference is that I expect &quot;npm install&quot; to execute code, where I do not expect merely opening a repo to look at the files in Cursor to execute anything.
      • paxys10 hours ago
        IDEs do syntax highlighting, typechecking, linting, automatic git refreshes. All of this happens in the background without you executing any code. If you open a Typescript project in VS Code and it automatically shows you a list of errors where do you think it got them from? It ran the tsc executable in your node_modules folder.
        • tom_30 minutes ago
          Visual Studio Code asks you if you trust the files in the folder you open, or at least it always has done for me. Presumably this stuff stops working if you don&#x27;t?
        • AussieWog934 hours ago
          I&#x27;m a Python dev so don&#x27;t do much typescript, this sounds crazy too!
        • jeremyjh10 hours ago
          &gt; syntax highlighting, typechecking, linting, automatic git refreshes<p>In most languages, none of those things involve execution of code in the repo. In languages that do - for example Elixir - it prompts you to trust them first.
    • jeremyjh10 hours ago
      Cursor is an editor. Why is it executing untrusted code when a folder is opened? Opening a folder is not equivalent to executing a script contained in the repo. How can you think that is ok?
      • dev_daftly8 hours ago
        It&#x27;s not executing untrusted code, it&#x27;s calling git when you have a malicious version of git on your system
        • jeremyjh8 hours ago
          No, read the report. It will call an executable called git.exe in the untrusted repo.
  • Shorel5 hours ago
    Isn&#x27;t this the oldest kind of vulnerabilities corrected on UNIX several decades ago? The current directory is not in the PATH, period. This is also a bug on Windows only, so to me this is more a Windows issue than a Cursor issue, unless there&#x27;s some logic in Windows that is doing the same as UNIX has done for decades. Given the &quot;fix&quot; involves ACL and a complex workaround that&#x27;s not really a fix, I stay in my position this is more a Windows fuckup than something particular to Cursor.
  • throwitaway2225 hours ago
    Uh, you&#x27;re already beyond fucked if git.exe (or equivalent in *nix) is a hacked one and on your system. And similarly the same doomsday article does not exist for VSCode, Zed, GitKraken, and a billion other tools that run git without caring to ask..
    • UnwrapComment2 hours ago
      In this case, simply cloning a repository containing such an executable is enough. This isn’t a common bug or a gotcha.
      • ralferoo1 hour ago
        Although on Windows, the current directory is checked before PATH, unlike UNIX-based systems that require the current directory to be explicitly included in the PATH if that&#x27;s the behaviour you want.<p>So for any repository with git.exe in the root, if you then ran another git command from a DOS prompt with the repo as your current directory then it would give the same bad outcome of running the git.exe from the repo.<p>I&#x27;m not saying that it&#x27;s good that it&#x27;s happening, but it doesn&#x27;t seem like it&#x27;s their bug to solve per se, it&#x27;s just a feature of using Windows. Of course, they probably could work round it by parsing the PATH themselves and locating a git.exe that isn&#x27;t in the current directory.
  • chrisjj14 hours ago
    &gt; The most obvious question is also the simplest: Why hasn&#x27;t this been fixed?<p>Obvious answer is obvious. The devs do not consider it a bug.
  • awongh13 hours ago
    I guess this is only specific to a file in the root of the repo, so it doesn&#x27;t allow for an NPM supply chain attack?
    • beart13 hours ago
      It has nothing to do with npm. However, a binary could be configured to extract your git&#x2F;npm secrets using this exploit, which could then lead to a npm supply chain attack (or pip, etc. etc.).
      • awongh13 hours ago
        I meant the attack would be the other way around- if an infected package had the git.exe file in their root.<p>Or, the infected package could also copy that file into the parent project&#x27;s root.
        • beart13 hours ago
          Oh yeah that&#x27;s a good point - two layers of auto executing scripts&#x2F;binaries.
  • charcircuit2 hours ago
    Suspiciously the authors do not say if this works in restricted mode. This is not considered a vulnerability outside of restricted mode.
  • vanyaland13 hours ago
    Does the git lookup run before the trust check, or ignore it?
    • hack13124 hours ago
      Cursor ships with Workspace Trust disabled. <a href="https:&#x2F;&#x2F;cursor.com&#x2F;docs&#x2F;agent&#x2F;security#workspace-trust" rel="nofollow">https:&#x2F;&#x2F;cursor.com&#x2F;docs&#x2F;agent&#x2F;security#workspace-trust</a>
  • redwood9 hours ago
    Crazy that 7 hours after this post there&#x27;s no one from the Cursor team saying anything here. This is HN, your highest leverage audience, Anysphere... no one is home?
  • 827a13 hours ago
    Frankly, if you git clone a compromised repository, I&#x27;m not sure that a vulnerability of the class &quot;compromised code in that repository will be executed&quot; is all that major a concern. There are plenty of IDEs that will go autonomously run npm installs (with post-install scripts) for you when they detect a package.json. This isn&#x27;t all that different than that.<p>They could throw up a warning like &quot;do you trust this repository&quot; oh wait they already do, and no one cares. Security is hard. Ultimately if you have compromised code on your machine, all bets are off.
    • beart13 hours ago
      A lot of malware was delivered back in the day via Windows AutoPlay feature. Someone plugs a USB drive in and bam, they are immediately exploited. You could say it&#x27;s always a problem if the USB drive is already full of malware. However, Microsoft disabled AutoPlay in Windows 7 (and backported this fix) specifically to address this vulnerability.<p>This exploit feels very similar to me. I don&#x27;t know if there&#x27;s a specific name for this classification of AutoPlay issues.
      • 827a7 hours ago
        They should definitely fix it, but that&#x27;s mostly because its an &quot;unnecessary autoplay&quot; so to speak. There&#x27;s plenty of &quot;necessary autoplays&quot; out there, and AI is going to add more and more every day, because that&#x27;s where productivity comes from. But, why Cursor would ever need to execute the git binary in your project directory is beyond me; very clearly a bug.<p>Their ignorance of the bug report is also very clear and concerning negligence.<p>But I think simultaneously, the security team is making a mountain out of a molehill. This is a classic thing security teams love doing; everything is military defcon P0. So, its important to check them regularly, and remind them that the most secure system is no system; they are but one part of a greater ecosystem.
  • nubg15 hours ago
    &gt; Most coordinated disclosures follow a familiar pattern:<p>&gt; 1. A vulnerability is reported.<p>&gt; 2. A dialogue begins.<p>&gt; 3. Severity is discussed.<p>&gt; 4. Engineering teams investigate.<p>&gt; 5. Fixes are developed.<p>&gt; 6. Users are protected.<p>&gt; 7. Public disclosure follows.<p>8. The author prompts an LLM to write a blog post.<p>9. HN users are wasting time, unsure which parts of the post come from the actual prompt, and which are hallucinated world knowledge slop.
    • mike_hock14 hours ago
      Maybe the bug report got ignored because they posted another 1000 slop reports, who knows.
      • dakolli14 hours ago
        The disclosure seems pretty straight-forward, definitely some LLM assisted writing here, but not nearly as bad as most of the other stuff on this site.
        • mike_hock17 minutes ago
          Yes, the question is whether it drowned in a myriad of other LLM &quot;assisted&quot; reports, because that would be a way in which a simple straightforward report could be missed.
      • skeledrew14 hours ago
        Wonder who&#x27;s fault it is when a critical security issue goes unresolved because &quot;slop&quot; report (sure ain&#x27;t the reporters&#x27;).
  • iririririr8 hours ago
    this attack vector is part of the spec in all Java build systems.<p>you don&#x27;t even need ai slop ide. Java Devs will happily execute your malicious maven&#x2F;gradle&#x2F;Grovy&#x2F;whatever that you push to any public repo. bonus point ofy commit message is complaining about some build plugin version compatibility
  • chrisjj14 hours ago
    &gt; Until the IDE is patched, open untrusted repositories only in an isolated VM, Windows Sandbox, or other disposable environment.<p>Got to wonder why trusted repositories are excluded...
    • dalemhurley14 hours ago
      Except it might come from a trusted repo. Some of the biggest repos have been recently targeted in supply chain attacks. Consider for a moment<p>1. Attacker takes over maintenance of a widely used Cursor extension<p>2. Attacker adds a remote backdoor to monitor which repos are being maintained<p>3. Attacker decides to only infect the largest one with a git commit hook<p>4. The developer didn’t even know they just included git.exe in their commit<p>5. The developer is a sole maintainer on the repo and merges their own PR without review (because they(&#x2F;their AI) wrote it)<p>6. Now a trusted repo is infected<p>7. A contributor pulls down the infected repo and opens cursor
  • TZubiri6 hours ago
    &gt;This bug is simple. A developer opens a repository in Cursor on Windows, and if that repository contains a malicious git.exe in the project root,<p>A vuln that requires an existing malicious executable to have already been downloaded and have it executable bit set to true? Doesn&#x27;t sound like a vuln<p>&gt;The vulnerability was first identified by Mindgard on December 15, 2025. We reported it the same day and multiple times since. More than six months and 197+ new versions later, the issue remains present in the latest tested version of Cursor.<p>It&#x27;s probably 3 factors:<p>- Lots of bounty begs powered by vibecoding. This gets lost in the noise (like this report)<p>- Cursor is itself vibecoded so they ship features faster than they care to fix issues.<p>- don&#x27;t know if it&#x27;s me or the way Mindgard is putting this, but it&#x27;s presented as a critical bug, and upon reading it, it&#x27;s very hard to see the subtle low priority security issue.<p>Here&#x27;s a rough unbiased summary of the &#x27;issue&#x27;:<p>Cursor loads the &#x27;git&#x27; dependency at runtime. If the user has downloaded a malicious repository, they will get pwned when they open cursor even if they don&#x27;t run any prompts.<p>The author seems to suggest that either git should be looked for in the &#x27;proper dependency&#x27; folder to mitigate this risk. This would mean that attackers would pwn the victim when a the user opens cursor and runs 1 prompt that executes a vulnerable file called runme.exe instead of being pwned just by the user opening cursor on the malicious repo.
  • jyswee50 minutes ago
    [dead]
  • DaWe0115 hours ago
    [flagged]
  • sieabahlpark15 hours ago
    [dead]
  • yieldcrv9 hours ago
    Why do you guys write essays to justify doing the leak<p>Have you all drunk too much psyop koolaid?<p>Three things are obvious:<p>1 - “Responsible disclosure” by a unilaterally proscribed process only benefits an abuser<p>2 - The abuser sets a price for the disclosure that is arbitrary and parallel to its market value, the attractiveness is based solely on your <i>vulnerability</i> to how much the abuser can abuse you with the state<p>3 - The vulnerability’s continued existence isn&#x27;t necessarily a breakdown of disclosure processes, it could literally be malice. congratulations you found the honeypot, it wont be confirmed by the state for 70 years