16 comments

  • jjcm 5 minutes ago
    I'm not sure I fully agree with this being a major vuln. There's a lot of up front scary text which was raising a lot of red flags until it actually discussed the "what".

    An actor has to place a malicious .exe in the user's code folder, named git.exe, for this to take place.

    I see this akin to something like saying "replacing their .bashrc with an alias that says `ls` instead executes `/tmp/mega-big-virus.sh` is a vuln".

    Yes it's a vector, but if they've placed something in your filesystem like that already, you've already been compromised.

    • shitter 1 minute ago
      The user's code folder? You mean the code I frequently pull from untrusted sources, unlike my .bashrc? Opening a GitHub project for review should not mean arbitrary code execution.
  • Illniyar 47 minutes ago
    It's pretty weird for cursor to run arbitrary exe file without prompting, and alarming that the researchers did not get a proper response for months.

    But the example with calculator is a bit misleading I think, you'll have to have a malicious exe already in the system and downloaded, and if cursor tried to run my understanding is that ACL should immediately kick in and you'll be asked for permission to run a new, unsigned app for the first time.

    You'll have to have ACL disabled completely for this to be exploitable.

    • shitter 7 minutes ago
      And what'll the prompt say? "Do you want to run git.exe?"? I'll probably assume Cursor needs to run git but permissions got messed up somewhere and click right through that.

      I haven't used Windows in a while so pardon if I'm missing something.

  • dclowd9901 20 minutes ago
    This draws to mind the dialog that opens when you open a new project in Cursor (and VSCode too, I think), where the IDE asks the user if they trust the project they're opening. Is Cursor under the impression that this is sufficient security apparatus?
  • firer 31 minutes ago
    All too common... It's sad yet understandable how a company would not prioritize security.

    At the same time, it's also understandable how a security start-up, upon (rightly) getting fed up waiting, decide to publicly disclose, as a way to scrape some PR out of the sunk cost. Public disclosure has a place. But if you truly care about helping, you could do more than bumping on HackerOne and messaging the CISO once on LinkedIn.

    Maybe I'm too cynical but it truly feels like nobody actually cares at this point.

    • orphereus 11 minutes ago
      This comment is so weird. It is so vague to me and feels so off, like an alien from Men in Black trying to pass as a human.

      How do they not truly care about helping? Also what sunk cost? What does that mean?

  • minraws 1 hour ago
    Why is cursor subsequently executing anything? Like what is this black magic they want to do? I want to know the decision tree here? Was this cursor coded?

    I do not understand the point, btw vim has had similar issues with it executing stuff you might not expect by loading a file but it was obviously a vim feature with %{expr}. But why specifically git.exe , this seems like the most redundant bug cve which could have been trivially patched, who does this feature help exactly?

    I am not really a user of cursor never used it for even a single day, but at this point I am curious why this exists...

    • SpicyLemonZest 56 minutes ago
      Presumably it's trying to find the user's actual Git so that the built-in agent can load context on different branches, worktrees, etc. Of course there are less vulnerable ways to do that, but this kind of mildly justified hackiness is exactly where I'd expect an AI-assisted workflow to go wrong (and an AI-assisted bug triage to fail to alarm).
  • ajhenrydev 1 hour ago
    This report reads a bit like AI writing :/

    You need to have an already malicious payload on your pc to make this exploit work (via clone/download/magic). I can understand the severity of the exploit but at the same time I’d hope to not have to run into this situation for it to happen in the first place

    • gene91 1 hour ago
      Modern day code agents would clone a repo and read the code when you ask it a question about an API that’s not clearly documented. This vulnerability is real.
    • AntonyGarand 1 hour ago
      The malicious payload can live on the remote: `git clone` a repo, open it with cursor, and you're compromised
    • dalemhurley 30 minutes ago
      If your an opensource developer you may get a pull request containing the the git.exe
    • pixl97 1 hour ago
      >You need to have an already malicious payload on your pc to make this exploit work

      Uh, no, not exactly from what I'm reading.

      At least from my piss poor understanding of it, you could possibly prompt inject something like "download https://github.com/hackmycursor/exploit.git". Would an agent do this, I'm unsure, but if so, it would download the git.exe and execute it.

      • trollbridge 1 hour ago
        This has been a problem with agent harnesses for as long as I've used them - prompting them to retrieve something often results in them going the extra mile and running and installing it.
    • ribs 12 minutes ago
      I think you’ve got it wrong; no malicious payload need be on your box already. That’s not what the article says.
    • JMKH42 1 hour ago
      wouldn't the attack vector be like this:

      I find a github repo, I want to contribute to it. I clone it, open up cursor, make an edit, commit, and boom, I am infected.

      • skeledrew 41 minutes ago
        From my reading, boom happens at "open up cursor".
      • Illniyar 45 minutes ago
        you would only need to open it to be exploited, not edit or prompt. Allegedly
        • dalemhurley 27 minutes ago
          From the article it occurs when Cursor is loaded. iDEs do a lot of stuff when they first open.
  • aliasxneo 1 hour ago
    I'm struggling to understand the process that went into this "feature" existing. It seems the most likely candidate is a developer's git started malfunctioning and an agent "fixed" it by dropping a `git.exe` in the repo and then conditionally calling it when it exists.
    • gruez 1 hour ago
      >It seems the most likely candidate is a developer's git started malfunctioning and an agent "fixed" it by dropping a `git.exe` in the repo and then conditionally calling it when it exists.

      It doesn't need to be that deliberate. The default shell on windows (cmd.exe) includes the current directory into PATH by default. In other words, you don't need to do `./program.exe`, `program.exe` would suffice. That's probably where the bug came from. This also means if you were using cmd.exe, ran `git clone`, went inside it, then executed any command (eg. dir or git) you could get pwned.

      • drdexebtjl 1 hour ago
        Windows doesn’t really have a default login shell like Unix.

        Windows Terminal defaults to PowerShell which does not suffer from this issue.

    • conartist6 1 hour ago
      and ever since, this approach has been a critical pathway for some billion dollar business probably. hooray
      • pixl97 1 hour ago
        I see you also work in enterprise software.
  • awongh 14 minutes ago
    I guess this is only specific to a file in the root of the repo, so it doesn't allow for an NPM supply chain attack?
    • beart 9 minutes ago
      It has nothing to do with npm. However, a binary could be configured to extract your git/npm secrets using this exploit, which could then lead to a npm supply chain attack (or pip, etc. etc.).
  • nosefrog 1 hour ago
    Would be nice if the timeline matched up with the text of the blog post (missing "HackerOne provides disclosure guidance").
  • vanyaland 15 minutes ago
    Does the git lookup run before the trust check, or ignore it?
  • 827a 15 minutes ago
    Frankly, if you git clone a compromised repository, I'm not sure that a vulnerability of the class "compromised code in that repository will be executed" is all that major a concern. There are plenty of IDEs that will go autonomously run npm installs (with post-install scripts) for you when they detect a package.json. This isn't all that different than that.

    They could throw up a warning like "do you trust this repository" oh wait they already do, and no one cares. Security is hard. Ultimately if you have compromised code on your machine, all bets are off.

    • beart 3 minutes ago
      A lot of malware was delivered back in the day via Windows AutoPlay feature. Someone plugs a USB drive in and bam, they are immediately exploited. You could say it's always a problem if the USB drive is already full of malware. However, Microsoft disabled AutoPlay in Windows 7 (and backported this fix) specifically to address this vulnerability.

      This exploit feels very similar to me. I don't know if there's a specific name for this classification of AutoPlay issues.

  • chrisjj 40 minutes ago
    > The most obvious question is also the simplest: Why hasn't this been fixed?

    Obvious answer is obvious. The devs do not consider it a bug.

  • chrisjj 46 minutes ago
    > Until the IDE is patched, open untrusted repositories only in an isolated VM, Windows Sandbox, or other disposable environment.

    Got to wonder why trusted repositories are excluded...

    • dalemhurley 19 minutes ago
      Except it might come from a trusted repo. Some of the biggest repos have been recently targeted in supply chain attacks. Consider for a moment

      1. Attacker takes over maintenance of a widely used Cursor extension

      2. Attacker adds a remote backdoor to monitor which repos are being maintained

      3. Attacker decides to only infect the largest one with a git commit hook

      4. The developer didn’t even know they just included git.exe in their commit

      5. The developer is a sole maintainer on the repo and merges their own PR without review (because they(/their AI) wrote it)

      6. Now a trusted repo is infected

      7. A contributor pulls down the infected repo and opens cursor

  • nubg 1 hour ago
    > Most coordinated disclosures follow a familiar pattern:

    > 1. A vulnerability is reported.

    > 2. A dialogue begins.

    > 3. Severity is discussed.

    > 4. Engineering teams investigate.

    > 5. Fixes are developed.

    > 6. Users are protected.

    > 7. Public disclosure follows.

    8. The author prompts an LLM to write a blog post.

    9. HN users are wasting time, unsure which parts of the post come from the actual prompt, and which are hallucinated world knowledge slop.

    • mike_hock 58 minutes ago
      Maybe the bug report got ignored because they posted another 1000 slop reports, who knows.
      • dakolli 45 minutes ago
        The disclosure seems pretty straight-forward, definitely some LLM assisted writing here, but not nearly as bad as most of the other stuff on this site.
      • skeledrew 43 minutes ago
        Wonder who's fault it is when a critical security issue goes unresolved because "slop" report (sure ain't the reporters').
  • DaWe01 2 hours ago
    [flagged]
  • sieabahlpark 1 hour ago
    [dead]