Cursor IDE 0day: Malicious git.exe Auto-Executed, No Fix After 7 Months

Original: Cursor 0day: When Full Disclosure Becomes the Only Protection Left

Why This Matters

An unpatched auto-execution flaw in a 7M-user AI IDE poses significant supply chain and developer security risks.

Mindgard disclosed a zero-day in Cursor IDE on Dec 15, 2025: opening a repo containing a malicious git.exe on Windows triggers automatic code execution with no user prompts. After 7 months and 197+ Cursor versions, the vulnerability remains unpatched as of the latest tested release.

Security firm Mindgard has publicly disclosed a zero-day vulnerability in Cursor, the AI-assisted IDE with 7 million+ active users, 1 million+ daily users, and a reported $60 billion valuation. The flaw, discovered on December 15, 2025, affects Windows users: when a developer opens a repository that contains a malicious git.exe file in the project root, Cursor automatically executes it on a recurring cadence — with no user interaction, prompts, or warnings. The result is arbitrary code execution.

Mindgard reported the issue the same day it was found, then followed up multiple times over seven months through Cursor's official security.txt-listed email address and public outreach channels. Despite 197+ new Cursor versions being released in that period, the vulnerability has not been patched.

Mindgard has recommended temporary mitigations for enterprise Windows environments, including AppLocker or Windows App Control policies with path-based deny rules targeting workspace directories. Consumer users are advised to open untrusted repositories only inside isolated VMs or Windows Sandbox until an official fix is available. Hash-based blocklists are explicitly noted as insufficient since attacker-supplied binaries can vary by hash.

The firm states that exploitation requires no complex chaining — no prompt injection, jailbreaks, or memory corruption. The decision to proceed with full public disclosure follows Cursor's sustained non-response to private reporting.

Source

mindgard.ai — Read original →