Cursor CLI Project Configuration Vulnerability

Key Takeaways

• Cursor CLI trusted project configuration files by default
• Malicious repositories could trigger command execution
• Attack required user interaction to open a crafted project
• No confirmed exploitation or breach reported
• Vendor released a fix to restrict unsafe behavior

Project Configuration Became an Execution Vector

A vulnerability in the Cursor CLI allowed malicious project configuration files to trigger command execution when users opened untrusted repositories. The issue stemmed from permissive handling of project-level configuration, which the CLI loaded automatically as part of AI-assisted workflows. While no active exploitation was confirmed, the vulnerability exposed risks in developer tooling that blends automation with local execution.

Source: GitHub Security Advisory

What We Know

The issue was disclosed on October 21, 2025 via a GitHub Security Advisory affecting the Cursor CLI. The advisory describes how project configuration files embedded in repositories could define commands or settings that were executed automatically by the CLI when the project was opened.

Because the Cursor CLI is often used alongside AI-assisted coding features, the configuration loading process occurred with minimal user review. An attacker could publish a repository containing a malicious configuration file and persuade a victim to open it, triggering command execution.

The maintainers addressed the issue by restricting which configuration fields could execute commands and by adding additional validation. At the time of disclosure, no confirmed reports of real-world exploitation were identified.

Source: GitHub Advisory GHSA-v64q-396f-7m79

How the Breach Happened

This incident resulted from overly permissive trust in project-level configuration files within an AI-assisted CLI tool. Configuration files are designed to customize behavior, but in this case they were allowed to define actions that led directly to command execution.

In AI-driven workflows, developer tools may act autonomously to streamline tasks such as environment setup, dependency installation, or code generation. This automation reduced friction but also lowered barriers for malicious configuration to take effect.

The vulnerability illustrates how AI-enhanced developer tooling can magnify traditional supply chain risks when untrusted repositories are treated as safe inputs.

Why It Matters

AI-assisted CLIs are increasingly used to bootstrap projects, manage environments, and automate repetitive tasks. A vulnerability that allows code execution through project configuration threatens not only developer machines but also downstream systems connected through credentials or automation.

Even without confirmed exploitation, the potential impact includes compromise of developer environments, credential theft, and lateral movement into CI or cloud resources. Organizations relying on AI-assisted tooling must treat project configuration as untrusted input.

This incident reinforces the need for stronger safeguards around how AI tools load and execute project metadata.

PointGuard AI Perspective

This vulnerability highlights how AI-assisted automation can blur the line between configuration and execution.

PointGuard AI helps organizations secure AI-driven development workflows by monitoring how AI tools interact with local systems, repositories, and execution paths. This enables detection of unexpected command execution triggered by configuration files.

Policy-based controls allow teams to restrict what AI-powered CLIs and agents are permitted to execute, reducing the blast radius of malicious repositories.

By tracking and analyzing AI-related security incidents, PointGuard AI supports proactive defense strategies for organizations adopting AI-powered developer tools.

Source: AI Runtime Defense
Source: AI Supply Chain Security
Source: AI Security Incident Tracker

Incident Scorecard Details

Total AISSI Score: 7.5/10

Criticality = 7.5, Arbitrary command execution via configuration, AISSI weighting: 25%
Propagation = 7.0, Requires opening a malicious repository, AISSI weighting: 20%
Exploitability = 7.5, Low complexity once configuration is loaded, AISSI weighting: 15%
Supply Chain = 7.5, Impacts AI-assisted developer tooling supply chain, AISSI weighting: 15%
Business Impact = 6.5, No confirmed exploitation or breach reported, AISSI weighting: 25%

Sources

• GitHub Security Advisory GHSA-v64q-396f-7m79