Using Cursor CLI inside a malicious repository leads to Remote Code Execution on the end-user.
( , 2025.09.17-25b418f)
Due to automatic loading of project-specific CLI configuration that affected certain global configurations under the current working directory (<project>/.cursor/cli.json) while using Cursor CLI, users running the CLI inside a malicious repo context are prone to Remote Code Execution via a combination of permissive configuration (allowed shell commands) and prompt injection delivered via project specific Rules (<project>/.cursor/rules/rule.mdc) or other mechanisms.
The most likely exploitation vector for this issue, is for Cursor CLI users to clone a malicious Git repository and then run any query inside the cloned repository.
No PoC is supplied for this issue
No mitigations are available for this issue