Cursor, a code editor that integrates AI features, had a vulnerability that allowed an attacker to escape the sandbox by writing to improperly protected .git configuration files, including git hooks. This flaw, identified in versions prior to 2.5, permits malicious agent prompts to alter the .git settings, which can lead to execution of arbitrary code outside the sandbox environment. The weakness is a form of missing access control, as the editor fails to enforce proper permissions on these configuration files. The consequence is a high‑risk scenario where untrusted input can result in arbitrary code execution without any user interaction.

This issue affects the Cursor code editor product from cursor:cursor for all releases older than version 2.5. Any deployment using those older versions is vulnerable unless the .git configuration files are manually patched or the application upgraded.

The CVSS score of 8.1 indicates a high severity, and the EPSS score of less than 1% suggests that exploitation is unlikely at present. Since the flaw relies on Git automatically executing hooks, an attacker can trigger the vulnerability simply by having the editor run Git operations, irrespective of user actions. The attack vector is inferred to be local execution triggered by automatic Git processes, and the exploitation conditions do not require privileged access beyond what a malicious prompt injection can provide. Because the vulnerability is not listed in the CISA KEV catalog, no known widespread exploitation has been reported, but the potential for zero‑click remote code execution remains significant for affected installations.