Critical Cursor RCE: CVE-2024-XXXXX lets Git repos auto-execute code
Key Takeaways A severe, unpatched vulnerability in Cursor, an AI-powered code editor, allows for remote code execution (RCE) on Windows systems. The flaw, tracked as CVE-2024-XXXXX, triggers simply...
Key Takeaways
- A severe, unpatched vulnerability in Cursor, an AI-powered code editor, allows for remote code execution (RCE) on Windows systems.
- The flaw, tracked as CVE-2024-XXXXX, triggers simply by opening a malicious Git repository, requiring no user interaction.
- Security firm Mindgard discovered and reported the issue, but after seven months of vendor silence and 197 new releases, the vulnerability remains unaddressed.
- Millions of developers using Cursor are at risk, as attackers could embed malicious
git.exefiles in repositories.
Critical Unpatched RCE Flaw in Cursor Editor
A significant security flaw, identified as CVE-2024-XXXXX, has been discovered in Cursor, a popular AI-driven code editor utilized by over 7 million developers. This critical vulnerability permits attackers to execute arbitrary code on Windows machines with no user interaction beyond simply opening a compromised Git repository. No clicks, confirmations, or authorization prompts are required to trigger the exploit.
Table Of Content
The vulnerability was initially identified by cybersecurity firm Mindgard on December 15, 2025, and promptly reported to Cursor’s security team. Despite numerous subsequent software updates—197 new versions in total—the flaw persists in the latest tested builds. This prolonged lack of a fix led Mindgard to publicly disclose the vulnerability after more than seven months of unresponsiveness from the vendor.
How the Cursor 0-Day Operates
The core of the vulnerability lies in Cursor’s method for locating Git binaries when loading a development project. The editor’s search path includes the project’s root workspace directory. If a malicious executable named git.exe is placed within this root directory by an attacker, Cursor will automatically execute it during its routine path resolution process. This implicit search mechanism means the execution occurs without any security alerts or warnings to the user.
The comprehensive analysis of this automatic execution loop is detailed in the official Mindgard zero-day report. During their testing, Mindgard effectively demonstrated the vulnerability by using a renamed Windows Calculator binary as a benign proof-of-concept. Opening the project directory in Cursor repeatedly launched instances of the Calculator, as the IDE continuously re-invoked the malicious file during its background operations.
.webp)
Sysinternals Process Monitor logs confirmed that the parent process, Cursor.exe, spawned the planted binary through a standard git rev-parse --show-toplevel query. This behavior was last verified on Cursor version 3.2.16. In a real attack scenario, this Calculator executable could easily be replaced with a more dangerous payload, such as ransomware, a credential stealer, or a keylogger, operating silently under the victim’s current user privileges.
Vendor Disclosure Timeline and Response
Mindgard followed established industry protocols for coordinated vulnerability disclosure:
- December 15, 2025: The initial vulnerability report was sent via Cursor’s official
security.txtemail address, followed by multiple requests for status updates. - January 2026: After receiving no response, Mindgard resorted to public outreach on LinkedIn to find a valid contact. Cursor’s CISO eventually responded, citing a HackerOne automation error as the reason for the delay, and manually invited Mindgard to participate in their private bug bounty program.
- Bounty Evaluation: The report was initially dismissed as “Informative” and deemed out of scope. This decision was only overturned after Mindgard contested the ruling and HackerOne triage staff successfully replicated the bug.
- January – June 2026: Mindgard made repeated attempts to get updates through HackerOne and directly contacted Cursor leadership. Despite dozens of new production releases from the vendor, all communications went unanswered.
This extended delay in addressing a critical vulnerability within a development environment highlights broader industry concerns regarding the potential for unsecured third-party scripts to compromise developer endpoints.
What You Should Do
Given the absence of an official vendor patch, both administrators and individual users must implement compensating security controls to minimize their exposure to this threat.
For Enterprise Security Teams (Windows Endpoints)
Focus on deploying path-based deny rules rather than hash-based controls:
- AppLocker / Windows App Control: Implement path-based deny rules that specifically target workspace directories (e.g.,
%USERPROFILE%sourcerepos*git.exe). Since attacker-supplied binaries will have varying hashes, blocking must be based on the file path, not its signature. - EDR Integration: As Windows lacks native, parent-process-aware application blocking, full mitigation requires configuring specialized Endpoint Detection and Response (EDR) rule overrides to monitor and restrict child processes spawned by
Cursor.exe.
For Individual Developers
Exercise strict containment precautions when interacting with external repositories:
- Sandbox Isolation: Avoid opening untrusted or newly cloned repositories directly on your host operating system. Instead, open such projects exclusively within a disposable Virtual Machine (VM) or a Windows Sandbox session until an official security patch becomes available.
- Process Auditing: Regularly monitor your active task manager for any unauthorized child processes. Proactively audit your endpoints to defend against untrusted execution layers that could bypass traditional host isolation mechanisms.
| Vulnerability Vector | Implicated Component | Trigger Action | Immediate Mitigation |
| Workspace Git Lookup | Root directory search path | Merely opening a project directory | Path-based AppLocker rules / Windows Sandbox isolation |
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.