Cursor AI contains a critical path canonicalization vulnerability that allows malicious agents to bypass sandbox protections and write files to arbitrary locations on the host system.

This vulnerability involves a failure in path canonicalization logic; when the check fails, the application incorrectly falls back to an unverified original path. This allows a malicious agent to use symlinks to write files outside the intended sandbox without user approval.

With a CVSS score of 9.3, this flaw poses a critical risk to organizational security. An attacker can achieve Remote Code Execution by overwriting critical system files or helper binaries, potentially leading to a total compromise of the host machine and unauthorized access to intellectual property or internal network resources.

Immediate Action: Update to Cursor version 3.0 or later to ensure proper path validation and sandbox enforcement.

Proactive Monitoring: Review file system integrity logs for the creation of unauthorized symlinks within project directories.

Compensating Controls: Implement endpoint detection and response (EDR) solutions to detect and block anomalous file write activities originating from the Cursor process.

Public Exploit Available: No

The reliance on AI agents in development environments necessitates rigorous sandbox security. Given the critical severity of this flaw, administrators and developers must update to version 3.0 immediately to prevent unauthorized file system access and potential full system compromise.