プラットフォーム
vscode
コンポーネント
cursor
修正版
1.7.1
CVE-2025-61590 is a Remote Code Execution (RCE) vulnerability affecting Cursor, a code editor built for programming with AI. This vulnerability allows attackers to execute arbitrary code through Visual Studio Code Workspaces, a feature that enables users to manage multiple folders and settings within a project. Versions 1.6 and earlier are vulnerable, and a fix is available in version 1.7.
The vulnerability stems from Cursor's handling of Visual Studio Code Workspaces. Workspaces, which utilize .code-workspace files, store project settings and folder configurations. An attacker could craft a malicious .code-workspace file that, when opened by a vulnerable Cursor instance, triggers the execution of arbitrary code. This could lead to complete system compromise, including data theft, malware installation, and unauthorized access to sensitive information. The attack vector is particularly concerning because users may unknowingly open malicious workspaces from untrusted sources, or if a malicious workspace is already present in their environment.
CVE-2025-61590 was publicly disclosed on 2025-10-03. The vulnerability's exploitation context is currently unclear, but the RCE nature and the reliance on workspace files suggest a potential for targeted attacks. There are no known public proof-of-concept exploits available at this time. The EPSS score is pending evaluation.
Developers and users of Cursor who rely on Visual Studio Code Workspaces are at risk. This includes those who frequently work with multiple projects or collaborate with others on codebases. Users who have previously downloaded or opened .code-workspace files from untrusted sources are particularly vulnerable.
• vscode / workspace: Check for unusual .code-workspace files in user directories.
Get-ChildItem -Path $env:USERPROFILE -Filter *.code-workspace -Recurse | Select-Object FullName• vscode / workspace: Monitor Cursor process for unexpected child processes.
Get-Process Cursor | Select-Object -ExpandProperty Children | Where-Object {$_.ProcessName -notlike 'Cursor*'}• vscode / workspace: Examine Cursor logs for errors related to workspace loading or parsing. (Log location varies by OS).
• generic web: Scan user directories for suspicious .code-workspace files using antivirus or endpoint detection and response (EDR) solutions.
disclosure
エクスプロイト状況
EPSS
0.11% (30% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-61590 is to upgrade Cursor to version 1.7 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, users should exercise extreme caution when opening .code-workspace files, especially those from untrusted sources. Consider temporarily disabling the automatic loading of workspaces if possible. While a WAF or proxy cannot directly mitigate this vulnerability, implementing strict file access controls and scanning for malicious .code-workspace files can provide an additional layer of defense. Regularly review and audit workspace configurations to identify and remove any suspicious entries.
Actualice Cursor a la versión 1.7 o superior. Esta versión corrige la vulnerabilidad de ejecución remota de código (RCE) a través de archivos .code-workspace manipulados mediante inyección de prompts. La actualización previene la explotación de esta vulnerabilidad.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-61590 is a Remote Code Execution vulnerability in Cursor, a code editor, allowing attackers to execute code through malicious Visual Studio Code Workspaces.
You are affected if you are using Cursor version 1.6 or earlier and have .code-workspace files in your environment, especially if those files originate from untrusted sources.
Upgrade Cursor to version 1.7 or later to resolve the vulnerability. Exercise caution when opening .code-workspace files until the upgrade is complete.
There are currently no confirmed reports of active exploitation, but the RCE nature of the vulnerability warrants caution.
Refer to the Cursor project's official website and release notes for the latest advisory and security updates: [https://cursor.sh/](https://cursor.sh/)