CVE-2025-62354 | THREATINT

Description

Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, resulting in arbitrary code execution.

PUBLISHED Reserved 2025-10-10 | Published 2025-11-26 | Updated 2025-11-26 | Assigner HiddenLayer

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Product status

Default status

unaffected

1.3.4 (semver) before 2.0

affected

References

hiddenlayer.com/sai_security_advisor/2025-11-cursor/

cve.org (CVE-2025-62354)

nvd.nist.gov (CVE-2025-62354)

Download JSON