Expanded attack surface with agentic IDEs: Novee warned that while traditional IDEs are passive, doing what developers explicitly tell them to do, Cursor’s AI agent interprets intent and autonomously decides which commands to run, which includes Git operations. And that’s where the problem lies.”In traditional pentesting, ‘client-side’ attacks targeting developer machines have always been a known vector,” Levkovich noted. “But they relied on user error or a lapse in vigilance, typically requiring a degree of deliberate action on the part of the victim: opening a malicious file, executing a script, clicking a link.”Security has long relied on trusted IDEs and human action as safeguards, but AI agents remove both constraints, he added.As the attack path does not need phishing or tricking the user into running scripts beyond cloning the bare repository, and malicious code executes as part of the normal development workflow, it is quite difficult to detect.Still, Cursor contested NVD’s critical rating of the flaw and instead issued its own high-severity CVSS score of 8.0 out of 10. The flaw is patched in Cursor version 2.5.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4164250/critical-cursor-bug-could-turn-routine-git-into-rce.html
