CVE-2025-64110 HIGH

CVE-2025-64110: Cursor: Authentication Bypass Possible via New Cursorignore Write

Vendor Cursor
Product cursor
Weakness CWE-284
Published November 4, 2025
Last update November 7, 2025
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Cursor is a code editor built for programming with AI. In versions 1.7.23 and below, a logic bug allows a malicious agent to read sensitive files that should be protected via cursorignore. An attacker who has already achieved prompt injection, or a malicious model, could create a new cursorignore file which can invalidate the configuration of pre-existing ones. This could allow a malicious agent to read protected files. This issue is fixed in version 2.0.

Key dates

02Disclosure timeline

November 4, 2025 CVE published
November 7, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2021-28504 On Arista Strata family products which have “TCAM profile” feature enabled when Port IPv4 access-list has a rule which matches on “vxlan” as protocol then that rule and subsequent rules ( rules declared after it in ACL ) do not match on IP protocol fi ... CVE-2026-41101 Microsoft Word for Android Spoofing Vulnerability CVE-2026-41166 OpenRemote has Improper Access Control via updateUserRealmRoles function CVE-2023-20237 CVE-2023-21750 Windows Kernel Elevation of Privilege Vulnerability