Cursor AI Editor Path Traversal to RCE via Malicious git.exe Injection
Cursor, an AI-powered code editor, automatically executes a git.exe binary from the project root without validation, allowing attackers to achieve arbitrary code execution by distributing malicious repositories. This is particularly concerning given Cursor's access to sensitive development environments and integration with build pipelines.
Affected
Cursor automatically executes a git.exe binary found in a project's root directory without validating its origin or integrity. An attacker can craft a malicious Git repository containing a weaponised git.exe that runs when a developer clones or opens the project in Cursor, resulting in arbitrary code execution with the developer's privileges. This is a classic but effective execution path that exploits legitimate tool behaviour through path confusion.
The vulnerability mechanics are straightforward: Cursor likely invokes git commands to perform repository operations (status checks, history inspection, branch switching) during project initialisation or when presenting features that interact with version control. By placing a fake git.exe in the project root, the attacker ensures Cursor preferentially executes the malicious binary over the system or legitimate Git installation. The developer sees no obvious indication that code is running, as Cursor abstracts version control interactions from the UI.
This attack vector is particularly effective because Cursor operates in the developer's local trusted environment with access to source code, build artifacts, SSH keys, credentials in environment files, and often unrestricted network access. An attacker gaining code execution can steal secrets, modify source before compilation, inject persistent backdoors, or pivot to internal infrastructure. The threat surface widens considerably given Cursor's integration with AI features that may enable further exploitation vectors.
Developers should immediately audit projects cloned from untrusted sources, ensure their system PATH prioritises legitimate Git installations over project directories, and disable or restrict Cursor's automatic project scanning until a patch is available. Organisations should consider restricting Cursor use on machines with access to sensitive repositories or implement sandboxing policies. The Cursor team must implement binary verification before executing external tools, validate git.exe signatures, and preferentially use system-installed binaries via absolute paths rather than relying on PATH resolution.
This incident underscores a broader pattern where AI-assisted developer tools, designed for convenience and speed, increasingly blur the boundary between user code and tool execution. The expectation that a project root is a trusted environment is breaking down as distributed repositories become attack surfaces. Similar vulnerabilities likely exist in other editor extensions and tools that automatically execute binaries or scripts discovered within project directories without explicit user consent.
Sources