{"id":14767,"date":"2025-09-10T12:26:01","date_gmt":"2025-09-10T12:26:01","guid":{"rendered":"https:\/\/newestek.com\/?p=14767"},"modified":"2025-09-10T12:26:01","modified_gmt":"2025-09-10T12:26:01","slug":"cursors-autorun-lets-hackers-execute-arbitrary-code","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=14767","title":{"rendered":"Cursor\u2019s autorun lets hackers execute arbitrary code"},"content":{"rendered":"<div>\n<div id=\"remove_no_follow\">\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<section class=\"wp-block-bigbite-multi-title\">\n<div class=\"container\"><\/div>\n<\/section>\n<p>Oasis Security has uncovered a flaw in the widely used AI-powered code editor Cursor that lets malicious repositories silently execute code the moment a developer opens them.<\/p>\n<p>According to a disclosure shared with CSO ahead of its publication on Wednesday, the issue comes from how Cursor lets certain project settings trigger tasks to run automatically as soon as a folder is opened, without asking the user first.<\/p>\n<p>Hardly surprised, security leaders see the discovery as one more instance where ease of use won over secure defaults.\u201cWith Workspace Trust disabled by default in Cursor, this vulnerability effectively turns a simple \u2018open folder\u2019 action into a potential full compromise of a developer\u2019s machine,\u201d said Fenix24\u2019s CISO, Heath Renfrow. Cequence Security CISO, Randolph Barr, noted a familiar pattern: \u201cWhen products hit hypergrowth adoption, \u2018secure by default\u2019 often gets sacrificed for speed.\u2019<\/p>\n<p>Cursor, a leading \u2018vibe coding\u2019 platform, turns natural language prompts into working code\u2013offering speed and power while raising <a href=\"https:\/\/www.csoonline.com\/article\/4053635\/when-ai-nukes-your-database-the-dark-side-of-vibe-coding.html\">new enterprise security considerations<\/a>. A successful exploit will allow attackers to access sensitive data within developer environments, including API keys, cloud credentials, and SaaS sessions.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Autorun RCE allows organization-wide compromise<\/h2>\n<p>The flaw exists because Cursor ships with Workspace Trust turned off by default, allowing tasks to run automatically without explicit user approval. This allows attackers to inject into public repositories a crafted \u201c.vscode\/tasks.json\u201d file, which can be set to autorun tasks the moment a folder is opened \u2014 no prompt, no warning. This execution pathway can allow a malicious repository to compromise a developer\u2019s machine through something as ordinary as browsing into a project.<\/p>\n<p>\u201cOpening a crafted workspace can execute commands under the current user\u2019s privileges, inheriting file-system, network, and credential access,\u201d Oasis researchers said in the <a href=\"https:\/\/www.oasis.security\/blog\/cursor-security-flaw\" target=\"_blank\" rel=\"noreferrer noopener\">disclosure<\/a>. \u201cReadable environment variables and locally stored secrets (tokens, API, config files) can be harvested, creating a direct path to unauthorized access with an organization-wide blast radius.\u201d<\/p>\n<p>Trey Ford, chief strategy and trust officer at Bugcrowd, compared the flaw to old-school vulnerabilities like \u2018autorun.inf\u2019 on removable drives, where simply inserting media could trigger malicious programs. \u201cDevelopers and operations teams using these platforms have considerable access in terms of systems, infrastructure, intellectual property, and strategic plans and partnerships \u2013 having a simple way to directly compromise these systems is an embarrassment,\u201d Ford said.<\/p>\n<p>Oasis researchers noted that the flaw does not affect Visual Studio Code. \u201cVisual Studio Code enables Workspace trust by default and gates execution of risky hooks (tasks, debug preLaunchTask, and certain extension activations) until a folder is explicitly trusted,\u201d they said. \u201cCursor\u2019s default disables this protection, so autoruns such as runOn: \u2018folderOpen\u2019 fire without a consent prompt.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Security Debt in the Cursor Ecosystem<\/h2>\n<p>The disclosure isn\u2019t an isolated scenario. Earlier this year, Cursor was already targeted by campaigns like <a href=\"https:\/\/www.tenable.com\/blog\/faq-cve-2025-54135-cve-2025-54136-vulnerabilities-in-cursor-curxecute-mcpoison\">CurXecute and MCPoison<\/a>, along with <a href=\"https:\/\/www.csoonline.com\/article\/4004261\/new-npm-threats-can-erase-production-systems-with-a-single-request.html\">npm package tampering<\/a> aimed at macOS users. Barr warned that the .vscode\/tasks.json issue is \u201cjust another piece of the same puzzle: attackers are looking deep into Cursor\u2019s ecosystem to uncover any pathway to execution.\u201d<\/p>\n<p>Cursor did not immediately respond to CSO\u2019s request for comments.<\/p>\n<p>Hinting at a silver lining, Ford said, \u201cCursor is at the point where they\u2019re being compared to (and increasingly targeted like) Microsoft\u2019s Visual Studio. This is a cause for a high-five and a reckoning to further harden and expand enterprise security capabilities.\u201d To mitigate the issue, Oasis researchers advise enabling Workspace Trust and taking extra care with unknown repositories\u2013such as opening them elsewhere, reviewing them first, and limiting exposed secrets.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"<p>Oasis Security has uncovered a flaw in the widely used AI-powered code editor Cursor that lets malicious repositories silently execute code the moment a developer opens them. According to a disclosure shared with CSO ahead of its publication on Wednesday, the issue comes from how Cursor lets certain project settings trigger tasks to run automatically as soon as a folder is opened, without asking the&#8230; <\/p>\n<p class=\"more\"><a class=\"more-link\" href=\"https:\/\/newestek.com\/?p=14767\">Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-14767","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14767","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=14767"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/14767\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=14767"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=14767"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=14767"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}