What’s new: A security vulnerability has been identified in the Cursor AI code editor that allows for silent code execution when a malicious repository is opened. The flaw is due to the default disabling of the Workspace Trust feature, which can lead to arbitrary code execution on users’ machines when they open a project containing a maliciously crafted .vscode/tasks.json file.
Who’s affected
Users of the Cursor AI code editor are at risk, particularly those who open untrusted repositories without enabling the Workspace Trust feature. This vulnerability can lead to sensitive data leaks, file modifications, and broader system compromises.
What to do
- Enable Workspace Trust in Cursor to mitigate the risk of silent code execution.
- Open untrusted repositories in a different code editor and audit them before using them in Cursor.
