Strix
26.1K

CVE-2025-54130

CRITICALCVSS 9.8/10EPSS 0.25%

Last modified

CVE-2025-54130 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions less than 1.3.9. EPSS estimates a 0.25% chance of exploitation in the next 30 days.

Description

Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions less than 1.3.9. If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive editor files, such as the .vscode/settings.json file don't already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9.

Metrics

CVSS 3.1
9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability
0.25%

16.3th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

VendorProductVersions
AnysphereCursor< 1.3.9

References

Timeline

Published
Last Modified
Status
Analyzed

Frequently Asked Questions

What is CVE-2025-54130?
Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions less than 1.3.9. If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive editor files, such as the .vscode/settings.json file don't already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9.
How severe is CVE-2025-54130?
CVE-2025-54130 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 0.25% probability of exploitation in the next 30 days.
How do I fix CVE-2025-54130?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2025-54130?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST