BREAKING NEWS - NHI Foundation Level Training Course & Certification Launched
NHI Forum

Notifications
Clear all

Cursor RCE in Open Repos: How Simple Access Leads to Full Compromise


(@oasis-security)
Trusted Member
Joined: 2 months ago
Posts: 30
Topic starter  

Read full article here: https://www.oasis.security/blog/cursor-security-flaw/?utm_source=nhimg

 

A new research finding from Oasis Security reveals a serious security flaw in Cursor, the popular AI-powered code editor. The vulnerability allows malicious repositories to automatically execute code the moment they’re opened—without user consent. For developers and enterprises relying on Cursor, this represents a dangerous attack vector with real-world implications for supply chain security, cloud environments, and non-human identities (NHIs).

 

The Vulnerability: Auto-Execution on Folder Open

Cursor ships with Workspace Trust disabled by default, unlike Visual Studio Code. That means if a project contains a hidden autorun instruction, Cursor will execute it silently.

Here’s how the exploit works:

  • A malicious actor commits a .vscode/tasks.json file into a repo.
  • That file contains "runOptions.runOn": "folderOpen".
  • When a developer opens the repo in Cursor, the IDE immediately runs the task — no warning, no consent.

From that moment, attackers can run arbitrary code in the developer’s session, enabling theft of API keys, modification of source code, or backdoor installation.

 

Why It Matters: Developer Laptops Are Goldmines

Unlike isolated servers, developer machines often contain:

  • Cloud provider keys (AWS, GCP, Azure)
  • Personal Access Tokens (PATs) for GitHub, GitLab, or Bitbucket
  • API credentials for SaaS integrations
  • Active sessions across critical enterprise tools

That makes an RCE on a dev laptop a perfect pivot point into CI/CD pipelines, cloud infrastructure, and even non-human identities (NHIs) that carry powerful permissions. In short, one booby-trapped repo could compromise an entire enterprise.

 

 

Who’s at Risk?

  • Affected: Cursor users running default settings (Workspace Trust off).
  • Lower risk: VS Code users, where Workspace Trust is enabled and autoruns are blocked until explicit trust is granted.

This highlights a core issue: security defaults matter. An insecure default in a widely used tool puts entire organizations at unnecessary risk.

 

How to Mitigate: Practical Steps

Oasis Security recommends immediate hardening for teams using Cursor:

  1. Enable Workspace Trust → Turn on trust prompts before running code.
  2. Disable automatic tasks → Set task.allowAutomaticTasks: "off".
  3. Open unknown repos in isolation → Use viewer-only editors, disposable containers, or VMs.
  4. Hunt & monitor →
    • Scan repos for .vscode/tasks.json with "runOn": "folderOpen".
    • Monitor for unusual shells or outbound traffic after opening projects.

Cursor has acknowledged the issue and says updated guidance will be published soon. But waiting isn’t a strategy, teams should act now.

 

Bigger Picture: AI Tools Expand the Attack Surface

This vulnerability isn’t just about Cursor. It’s part of a larger trend in AI-powered developer tools: powerful automation features, but insecure defaults. As AI agents and NHIs proliferate, the risk of hidden, supply-chain-style exploits only grows.

At Oasis Security, our mission is to secure the environments where AI agents, developer tools, and NHIs operate — from laptops to pipelines to cloud. By exposing risks like this Cursor flaw, we aim to give teams practical defenses against emerging attack vectors.

 



   
Quote
Share: