CVE-2024-48919 Information

Description

Cursor is a code editor built for programming with AI. Prior to Sep 27 2024 if a user generated a terminal command via Cursor’s Terminal Cmd-K/Ctrl-K feature and if the user explicitly imported a malicious web page into the Terminal Cmd-K prompt an attacker with control over the referenced web page could have a significant chance of influencing a language model to output arbitrary commands for execution in the user’s terminal. This scenario would require the user explicitly opt-in to including the contents of a compromised webpage and it would require that the attacker display prompt injection text in the the contents of the compromised webpage.

A server-side patch to not stream back newlines or control characters was released on September 27 2024 within two hours of the issue being reported. Additionally Cursor 0.42 includes client-side mitigations to prevent any newline or control character from being streamed into the terminal directly. It also contains a new setting `## Reference https://github.com/getcursor/cursor/security/advisories/GHSA-rmj9-23rg-gr67