Vulnerability Description
Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive information to a third-party attacker controlled server through an image fetch after successfully performing a prompt injection. A malicious model (or hallucination/backdoor) might also trigger this exploit at will. This issue requires prompt injection from malicious data (web, image upload, source code) in order to exploit. In that case, it can send sensitive information to an attacker-controlled external server. Some additional bypasses not covered in the initial fix to this issue were discovered, see GHSA-43wj-mwcc-x93p. This issue is fixed in version 1.7.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Anysphere | Cursor | < 1.7 |
Related Weaknesses (CWE)
References
- https://github.com/cursor/cursor/security/advisories/GHSA-43wj-mwcc-x93pNot Applicable
- https://github.com/cursor/cursor/security/advisories/GHSA-xw2x-252g-97w2Vendor Advisory
FAQ
What is CVE-2025-61589?
CVE-2025-61589 is a vulnerability with a CVSS score of 5.9 (MEDIUM). Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker ...
How severe is CVE-2025-61589?
CVE-2025-61589 has been rated MEDIUM with a CVSS base score of 5.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-61589?
Check the references section above for vendor advisories and patch information. Affected products include: Anysphere Cursor.