Oasis Security has uncovered a flaw in the widely used AI-powered code editor Cursor that lets malicious repositories silently execute code the moment a developer opens them.
According to a disclosure shared with CSO ahead of its publication on Wednesday, the issue comes from how Cursor lets certain project settings trigger tasks to run automatically as soon as a folder is opened, without asking the user first.
Hardly surprised, security leaders see the discovery as one more instance where ease of use won over secure defaults.“With Workspace Trust disabled by default in Cursor, this vulnerability effectively turns a simple ‘open folder’ action into a potential full compromise of a developer’s machine,” said Fenix24’s CISO, Heath Renfrow. Cequence Security CISO, Randolph Barr, noted a familiar pattern: “When products hit hypergrowth adoption, ‘secure by default’ often gets sacrificed for speed.’
Cursor, a leading ‘vibe coding’ platform, turns natural language prompts into working code–offering speed and power while raising new enterprise security considerations. A successful exploit will allow attackers to access sensitive data within developer environments, including API keys, cloud credentials, and SaaS sessions.
Autorun RCE allows organization-wide compromise
The flaw exists because Cursor ships with Workspace Trust turned off by default, allowing tasks to run automatically without explicit user approval. This allows attackers to inject into public repositories a crafted “.vscode/tasks.json” file, which can be set to autorun tasks the moment a folder is opened — no prompt, no warning. This execution pathway can allow a malicious repository to compromise a developer’s machine through something as ordinary as browsing into a project.
“Opening a crafted workspace can execute commands under the current user’s privileges, inheriting file-system, network, and credential access,” Oasis researchers said in the disclosure. “Readable environment variables and locally stored secrets (tokens, API, config files) can be harvested, creating a direct path to unauthorized access with an organization-wide blast radius.”
Trey Ford, chief strategy and trust officer at Bugcrowd, compared the flaw to old-school vulnerabilities like ‘autorun.inf’ on removable drives, where simply inserting media could trigger malicious programs. “Developers and operations teams using these platforms have considerable access in terms of systems, infrastructure, intellectual property, and strategic plans and partnerships – having a simple way to directly compromise these systems is an embarrassment,” Ford said.
Oasis researchers noted that the flaw does not affect Visual Studio Code. “Visual Studio Code enables Workspace trust by default and gates execution of risky hooks (tasks, debug preLaunchTask, and certain extension activations) until a folder is explicitly trusted,” they said. “Cursor’s default disables this protection, so autoruns such as runOn: ‘folderOpen’ fire without a consent prompt.”
Security Debt in the Cursor Ecosystem
The disclosure isn’t an isolated scenario. Earlier this year, Cursor was already targeted by campaigns like CurXecute and MCPoison, along with npm package tampering aimed at macOS users. Barr warned that the .vscode/tasks.json issue is “just another piece of the same puzzle: attackers are looking deep into Cursor’s ecosystem to uncover any pathway to execution.”
Cursor did not immediately respond to CSO’s request for comments.
Hinting at a silver lining, Ford said, “Cursor is at the point where they’re being compared to (and increasingly targeted like) Microsoft’s Visual Studio. This is a cause for a high-five and a reckoning to further harden and expand enterprise security capabilities.” To mitigate the issue, Oasis researchers advise enabling Workspace Trust and taking extra care with unknown repositories–such as opening them elsewhere, reviewing them first, and limiting exposed secrets.
No Responses