CVE-2025-54132

Published Aug 1, 2025

Last updated 7 months ago

CVSS medium 4.4
Cursor AI

Overview

Description
Cursor is a code editor built for programming with AI. In versions below 1.3, Mermaid (which is used to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive information to a third-party attacker controlled server through an image fetch after successfully performing a prompt injection. A malicious model (or hallucination/backdoor) might also trigger this exploit at will. This issue requires prompt injection from malicious data (web, image upload, source code) in order to exploit. In that case, it can send sensitive information to an attacker-controlled external server. This is fixed in version 1.3.
Source
security-advisories@github.com
NVD status
Analyzed
Products
cursor

Risk scores

CVSS 3.1

Type
Primary
Base score
7.5
Impact score
3.6
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-918
nvd@nist.gov
NVD-CWE-noinfo

Social media

Hype score
Not currently trending

  1. Cursor IDE: Arbitrary Data Exfiltration Via Mermaid (CVE-2025-54132) https://t.co/uTGYbSsYVu https://t.co/20GZAqaOBx

    @ngnicky

    8 Aug 2025

    684 Impressions

    3 Retweets

    5 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  2. 👉 Episode 4: Cursor IDE Arbitrary Data Exfiltration via Mermaid (CVE-2025-54132) 🏴‍☠️ https://t.co/3sbhYkPSSx

    @wunderwuzzi23

    4 Aug 2025

    4232 Impressions

    8 Retweets

    40 Likes

    26 Bookmarks

    1 Reply

    2 Quotes

  3. CVE-2025-54132 Prompt Injection Vulnerability in Cursor Code Editor Versions Below 1.3 https://t.co/vpJ6iJAmOk

    @VulmonFeeds

    1 Aug 2025

    16 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-54132 Cursor is a code editor built for programming with AI. In versions below 1.3, Mermaid (which is used to render diagrams) allows embedding images which then get render… https://t.co/ejNKgV8qVV

    @CVEnew

    1 Aug 2025

    393 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Cursor is a code editor built for programming with AI. Sandbox escape via writing .git configuration was possible in versions prior to 2.5. A malicious agent (ie prompt injection) could write to improperly protected .git settings, including git hooks, which may cause out-of-sandbox RCE next time they are triggered. No user interaction was required as Git executes these commands automatically. Fixed in version 2.5.CVE-2026-26268
  2. Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3.CVE-2026-22708
  3. Cursor is a code editor built for programming with AI. In versions 1.7.23 and below, a logic bug allows a malicious agent to read sensitive files that should be protected via cursorignore. An attacker who has already achieved prompt injection, or a malicious model, could create a new cursorignore file which can invalidate the configuration of pre-existing ones. This could allow a malicious agent to read protected files. This issue is fixed in version 2.0.CVE-2025-64110
  4. Cursor is a code editor built for programming with AI. In versions 1.7.28 and below, an input validation flaw in Cursor's MCP server installation enables specially crafted deep-links to bypass the standard security warnings and conceal executed commands from users if they choose to accept the server. If an attacker is able to convince a victim to navigate to a malicious deeplink, the victim will not see the correct speedbump modal, and if they choose to accept, will execute commands specified by the attackers deeplink.CVE-2025-64106
  5. Cursor is a code editor built for programming with AI. In versions 1.7.44 and below, various NTFS path quirks allow a prompt injection attacker to circumvent sensitive file protections and overwrite files which Cursor requires human approval to overwrite. Modification of some of the protected files can lead to RCE. Must be chained with a prompt injection or malicious model attach. Only affects systems supporting NTFS. This issue is fixed in version 2.0.CVE-2025-64108

References

Sources include official advisories and independent security research.