CVE-2025-59944Improper Handling of Case Sensitivity in Cursor

CWE-178Improper Handling of Case Sensitivity1 documents1 sources
Severity
9.8CRITICALNVD
EPSS
0.1%
top 65.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
CursorAnysphere Cursor
Timeline
PublishedOct 3

Description

Cursor is a code editor built for programming with AI. Versions 1.6.23 and below contain case-sensitive checks in the way Cursor IDE protects its sensitive files (e.g., */.cursor/mcp.json), which allows attackers to modify the content of these files through prompt injection and achieve remote code execution. A prompt injection can lead to full RCE through modifying sensitive files on case-insensitive fileystems. This issue is fixed in version 1.7.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HExploitability: 3.9 | Impact: 5.9

Affected Packages2 packages

CVEListV5cursor/cursor< 1.7
NVDanysphere/cursor1.6.23