CVE-2025-64108: Cursor is a code editor built for programming with AI. In versions 1.7.44 and below, various NTFS path quirks allow a pr
Summary
Cursor, a code editor designed for AI-assisted programming, has a vulnerability in versions 1.7.44 and below where attackers can exploit NTFS path quirks (special behaviors of Windows file systems) to bypass file protection rules and overwrite files that normally require human approval, potentially leading to RCE (remote code execution, where an attacker can run commands on a system they don't own). This attack requires chaining with prompt injection (tricking an AI by hiding instructions in its input) or a malicious AI model, and only affects Windows systems using NTFS.
Solution / Mitigation
This issue is fixed in version 2.0. Users should upgrade to version 2.0 or later.
Vulnerability Details
8.8(high)
EPSS: 0.1%
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-64108
First tracked: February 15, 2026 at 08:52 PM
Classified by LLM (prompt v3) · confidence: 92%