
Cursor IDE 0-Day Vulnerability: Critical Security Flaw Allows Arbitrary Code Execution via Malicious Git Binaries
A critical 0-day vulnerability has been disclosed in Cursor, a leading AI-assisted development environment, which allows for arbitrary code execution on Windows systems. Discovered by security firm Mindgard, the flaw occurs because Cursor attempts to locate git binaries within a project's workspace. If a user opens a repository containing a malicious 'git.exe' in the root directory, the IDE executes the file automatically without any user interaction, prompts, or security warnings. Despite being reported in December 2025, the vulnerability remains unpatched more than six months later, even after nearly 200 version updates. With over 7 million active users and a $60 billion market valuation, the lack of a fix for this simple yet dangerous exploit raises significant concerns regarding security practices within the AI tool industry.
Key Takeaways
- Automatic Execution: Cursor automatically searches for and executes
git.exefrom the root of an opened project on Windows without user consent. - Zero Interaction Required: Exploitation does not require clicks, approval dialogs, or any form of user prompt, leading to immediate arbitrary code execution.
- Unpatched Status: The vulnerability was reported on December 15, 2025, but remains active after six months and over 197 new version releases.
- Massive Exposure: The flaw impacts a user base of over 7 million active users and more than 50,000 companies using the platform.
- Simplicity of Exploit: Unlike complex memory corruption or prompt injection attacks, this vulnerability relies on a basic failure in binary path searching.
In-Depth Analysis
The Mechanism of the Cursor 0-Day
The vulnerability identified by Mindgard in the Cursor IDE is notable for its technical simplicity and high impact. When a developer loads a project into the environment, Cursor initiates a search for git binaries to facilitate version control features. The IDE is designed to look at various locations to find these binaries, including the current workspace root.
On Windows systems, if an attacker plants a malicious file named git.exe in the root of a repository, Cursor will identify and execute this binary. This process happens automatically and, crucially, on a repeated cadence. There are no security checkpoints, such as "Trust this folder" prompts or execution warnings, that would typically prevent an IDE from running unknown binaries found within a project's source code. This results in arbitrary code execution (ACE), effectively giving the malicious binary the same permissions as the user running the IDE.
A Timeline of Security Neglect
Perhaps more concerning than the technical flaw itself is the response—or lack thereof—from the Cursor development team. Mindgard first identified and reported the issue on December 15, 2025. In the subsequent six months, the researchers reported the flaw multiple times. During this period, Cursor released more than 197 new versions of the software.
Despite the high frequency of updates, the latest tested version of the IDE still contains the vulnerability. This situation has led to the decision for "full disclosure," as traditional private reporting channels failed to produce a fix. The persistence of such a straightforward bug through hundreds of iterations suggests a potential gap in the security review process for one of the world's most valuable AI startups. The vulnerability is not theoretical; it does not require sophisticated tradecraft like model manipulation or jailbreaking, making it an accessible vector for supply chain attacks where developers are targeted through malicious repositories.
Scale and Risk Assessment
The risk profile of this 0-day is amplified by Cursor's rapid market adoption. With a reported market valuation of $60 billion and a user base exceeding 7 million active users (including 1 million daily active users), the platform is a cornerstone of the modern AI-assisted development workflow.
Furthermore, the fact that over 50,000 companies utilize Cursor means that this vulnerability could serve as an entry point into secure corporate environments. Because the exploit is triggered simply by opening a project, any developer who clones a public repository or receives a project folder from an untrusted source is at risk. The lack of a fix for a bug that requires no complex exploitation chain—only the presence of a file in a root directory—highlights a significant oversight in protecting a massive professional user base.
Industry Impact
The disclosure of the Cursor 0-day has significant implications for the AI-assisted development industry. As AI tools become more integrated into the software development lifecycle, they gain deep access to local file systems and execution environments. This incident underscores the necessity for these tools to adhere to established security best practices, such as validating binary paths and implementing robust "trusted workspace" protocols.
For the broader tech industry, this case serves as a reminder that high valuations and rapid feature iteration do not always correlate with security maturity. When a widely used tool fails to address a reported critical vulnerability for over half a year, it erodes trust in the ecosystem. Organizations may need to implement stricter controls on the use of AI IDEs on managed Windows systems, such as restricting the ability of applications to execute binaries from user-writable workspace directories, until a formal patch is deployed.
Frequently Asked Questions
Question: How is the Cursor 0-day vulnerability triggered?
It is triggered when a user opens a project or repository in Cursor on a Windows system that contains a malicious file named git.exe in the root directory. The IDE automatically searches for and executes this file without any user interaction or confirmation.
Question: Has Cursor released a fix for this issue?
As of the latest report from Mindgard, the issue remains unpatched. The vulnerability has persisted for over six months and through more than 197 version updates since it was first reported in December 2025.
Question: What makes this vulnerability different from other AI security risks?
Unlike many AI-specific risks that involve prompt injection or model hallucinations, this is a traditional software security flaw. It does not require complex exploitation techniques; it simply exploits the way the IDE searches for system binaries within a user's workspace.


