Back to List
Cursor IDE 0-Day Vulnerability: Critical Security Flaw Allows Arbitrary Code Execution via Malicious Git Binaries
Industry NewsCybersecurityCursor IDE0-day

Cursor IDE 0-Day Vulnerability: Critical Security Flaw Allows Arbitrary Code Execution via Malicious Git Binaries

A critical 0-day vulnerability has been disclosed in Cursor, a leading AI-assisted development environment, which allows for arbitrary code execution on Windows systems. Discovered by security firm Mindgard, the flaw occurs because Cursor attempts to locate git binaries within a project's workspace. If a user opens a repository containing a malicious 'git.exe' in the root directory, the IDE executes the file automatically without any user interaction, prompts, or security warnings. Despite being reported in December 2025, the vulnerability remains unpatched more than six months later, even after nearly 200 version updates. With over 7 million active users and a $60 billion market valuation, the lack of a fix for this simple yet dangerous exploit raises significant concerns regarding security practices within the AI tool industry.

Hacker News

Key Takeaways

  • Automatic Execution: Cursor automatically searches for and executes git.exe from the root of an opened project on Windows without user consent.
  • Zero Interaction Required: Exploitation does not require clicks, approval dialogs, or any form of user prompt, leading to immediate arbitrary code execution.
  • Unpatched Status: The vulnerability was reported on December 15, 2025, but remains active after six months and over 197 new version releases.
  • Massive Exposure: The flaw impacts a user base of over 7 million active users and more than 50,000 companies using the platform.
  • Simplicity of Exploit: Unlike complex memory corruption or prompt injection attacks, this vulnerability relies on a basic failure in binary path searching.

In-Depth Analysis

The Mechanism of the Cursor 0-Day

The vulnerability identified by Mindgard in the Cursor IDE is notable for its technical simplicity and high impact. When a developer loads a project into the environment, Cursor initiates a search for git binaries to facilitate version control features. The IDE is designed to look at various locations to find these binaries, including the current workspace root.

On Windows systems, if an attacker plants a malicious file named git.exe in the root of a repository, Cursor will identify and execute this binary. This process happens automatically and, crucially, on a repeated cadence. There are no security checkpoints, such as "Trust this folder" prompts or execution warnings, that would typically prevent an IDE from running unknown binaries found within a project's source code. This results in arbitrary code execution (ACE), effectively giving the malicious binary the same permissions as the user running the IDE.

A Timeline of Security Neglect

Perhaps more concerning than the technical flaw itself is the response—or lack thereof—from the Cursor development team. Mindgard first identified and reported the issue on December 15, 2025. In the subsequent six months, the researchers reported the flaw multiple times. During this period, Cursor released more than 197 new versions of the software.

Despite the high frequency of updates, the latest tested version of the IDE still contains the vulnerability. This situation has led to the decision for "full disclosure," as traditional private reporting channels failed to produce a fix. The persistence of such a straightforward bug through hundreds of iterations suggests a potential gap in the security review process for one of the world's most valuable AI startups. The vulnerability is not theoretical; it does not require sophisticated tradecraft like model manipulation or jailbreaking, making it an accessible vector for supply chain attacks where developers are targeted through malicious repositories.

Scale and Risk Assessment

The risk profile of this 0-day is amplified by Cursor's rapid market adoption. With a reported market valuation of $60 billion and a user base exceeding 7 million active users (including 1 million daily active users), the platform is a cornerstone of the modern AI-assisted development workflow.

Furthermore, the fact that over 50,000 companies utilize Cursor means that this vulnerability could serve as an entry point into secure corporate environments. Because the exploit is triggered simply by opening a project, any developer who clones a public repository or receives a project folder from an untrusted source is at risk. The lack of a fix for a bug that requires no complex exploitation chain—only the presence of a file in a root directory—highlights a significant oversight in protecting a massive professional user base.

Industry Impact

The disclosure of the Cursor 0-day has significant implications for the AI-assisted development industry. As AI tools become more integrated into the software development lifecycle, they gain deep access to local file systems and execution environments. This incident underscores the necessity for these tools to adhere to established security best practices, such as validating binary paths and implementing robust "trusted workspace" protocols.

For the broader tech industry, this case serves as a reminder that high valuations and rapid feature iteration do not always correlate with security maturity. When a widely used tool fails to address a reported critical vulnerability for over half a year, it erodes trust in the ecosystem. Organizations may need to implement stricter controls on the use of AI IDEs on managed Windows systems, such as restricting the ability of applications to execute binaries from user-writable workspace directories, until a formal patch is deployed.

Frequently Asked Questions

Question: How is the Cursor 0-day vulnerability triggered?

It is triggered when a user opens a project or repository in Cursor on a Windows system that contains a malicious file named git.exe in the root directory. The IDE automatically searches for and executes this file without any user interaction or confirmation.

Question: Has Cursor released a fix for this issue?

As of the latest report from Mindgard, the issue remains unpatched. The vulnerability has persisted for over six months and through more than 197 version updates since it was first reported in December 2025.

Question: What makes this vulnerability different from other AI security risks?

Unlike many AI-specific risks that involve prompt injection or model hallucinations, this is a traditional software security flaw. It does not require complex exploitation techniques; it simply exploits the way the IDE searches for system binaries within a user's workspace.

Related News

Meituan Showcases AI Innovation at ACL 2026: Advancing LLM Evaluation and Reasoning Paradigms
Industry News

Meituan Showcases AI Innovation at ACL 2026: Advancing LLM Evaluation and Reasoning Paradigms

The Meituan Technical Team has achieved a significant milestone in the field of Natural Language Processing (NLP) with the acceptance of six research papers at ACL 2026, a premier international academic conference. These contributions span a diverse range of cutting-edge AI domains, including large language model (LLM) evaluation, complex process reasoning, and competition-level mathematical thinking optimization. Additionally, the research explores advancements in reinforcement learning and the emerging field of generative recommendation systems. By focusing on these critical technical directions, Meituan aims to establish a new generation paradigm for AI development. This achievement highlights the company's commitment to bridging the gap between theoretical research and practical industrial applications, ultimately enhancing the intelligence and efficiency of AI models across various specialized sectors.

Meituan Fulfillment AI Team Showcases Frontier Agent Technology and ACL 2026 Research Insights
Industry News

Meituan Fulfillment AI Team Showcases Frontier Agent Technology and ACL 2026 Research Insights

The Meituan Fulfillment AI Algorithm Team has unveiled its latest advancements in Large Language Model (LLM) Agent technology, specifically focusing on the integration of AI within Meituan's fulfillment business. By developing a self-evolving Agent operation system, the team leverages core technologies such as Continuous Pre-Training (CPT), Post-training, Agentic Reinforcement Learning (RL), and multimodal understanding. With a track record of numerous publications in top-tier conferences like ACL and EMNLP, this special session highlights their recent contributions to ACL 2026. The research emphasizes the practical application of AI agents to optimize operational efficiency and service delivery within the Meituan ecosystem, marking a significant step in industrial AI implementation and the evolution of autonomous business operations.

Google Faces Legal Action from Hachette and Scott Turow Over Gemini AI Training Data Usage
Industry News

Google Faces Legal Action from Hachette and Scott Turow Over Gemini AI Training Data Usage

Google is currently facing a significant lawsuit regarding the training data utilized for its Gemini AI models. The legal action has been initiated by high-profile plaintiffs, including the major global publishing house Hachette and the renowned author Scott Turow. The core of the dispute centers on the unauthorized use of copyrighted literary works to train Google's advanced generative artificial intelligence systems. This case represents a critical juncture in the ongoing conflict between technology companies and the creative industry, as authors and publishers seek to protect their intellectual property rights in the era of large-scale AI development. The outcome of this lawsuit could have lasting effects on how AI models are trained and how data is sourced across the tech industry.