Core Key Points:
Cursor IDEs explode one after another in 2025Six categories of security incidentsThis guide is based on a real-life incident involving 3200+ developers and millions of dollars in economic losses. Based on real-life incidents, this guide develops enterprise-level protection solutions to help organizations build a "defense-in-depth" system.
core element(Recommendation):
- ❌ prohibited item: Private API Key, Unofficial Extension Source, Automatic MCP Loading
- ✅ mandatory item:Privacy ModeEnablement, MCP Zero Trust Approval, Dependency Scanning, Log Monitoring
- 🔄 periodic term:: 30-day configuration audit, 90-day key rotation, quarterly in-depth assessment
I. Introduction to Cursor IDE
1.1 Core concepts
Cursoris an AI-driven integrated development environment (IDE) based on Visual Studio Code, designed for modern development workflows. By integrating the Large Language Model (LLM), Cursor provides code generation, intelligent completion, and auto-repair to significantly improve development efficiency.
Key Features:
- AI code generation and completion (OpenAI, Anthropic, Google Vertex, etc. supported)
- Model Context Protocol (MCP) integration to connect to external tools and data sources
- Privacy Mode(Privacy Mode), which offers a zero code retention commitment
- Enterprise SSO and Team Management (Cursor Business)
- Rule-based agent configuration (.cursorrules)
1.2 State of the market
Adoption rate: Used by over 50,000 organizations, including over 250 Fortune 500 companies
Developer Base: Millions of developer daily users worldwide
Version Evolution:
- v1.0-v1.2: Initial version with multiple major security vulnerabilities
- v1.3+: Critical patch release, fixes CVE-2025-54135, CVE-2025-54136, CVE-2025-59944
1.3 Architectural features
Key Architecture:
- Cursor Local IDE → MCP Configuration → External Tool Connections → LLM Reasoning → Code Suggestion and Auto Execution
Key Architecture Risks:
AI agents have developer-level privileges to access the file system, execute system commands, and modify configuration files, making them high-value attack targets.
II. Anatomy of a security incident in 2025 and lessons learned
2.1 Overview of the Six Events and Evolutionary Paths
Timeline and Correlation:
Important findings:
▸ Three CVEs point to core flaws in the MCP mechanism (accounting for 50%)
▸ Expansion and reliance on the supply chain are major breakthroughs (of 33%)
▸ Economic loss model evolution: data breach → asset theft → cost exhaustion
2.2 Event 1: MCP Configuration Persistence RCE - CVE-2025-54136 (MCPoison)
detection mechanism: Check Point Research
severity: CVSS 7.2 (High)
restoration version: Cursor 1.3+
Attack Flowchart:
From the above MCPoison attack chain panorama, the CVE-2025-54136 vulnerability exploits a flaw in the MCP trust mechanism of the Cursor IDE. An attacker first submits a seemingly legitimate MCP configuration for one-time approval by the developer, and then modifies the configuration days or weeks later to reverse shell commands. The key issue is that Cursor does not re-approve configuration changes, but instead loads and executes them automatically - giving attackers permanent, hidden persistent access.
remediation: Re-approval automatically triggered by configuration changes after Cursor 1.3
2.3 Event 2: MCP Prompt Injection RCE - CVE-2025-54135 (CurXecute)
detection mechanism: Aim Labs, Backslash Security, HiddenLayer
severity: CVSS 8.6 (Critical)
restoration version: Cursor 1.3+
Technical details:
Attack direction: not modify the MCP configuration, but use the MCP to return malicious data
Example Scenario Diagram:
CVE-2025-54135 exploits an "autonomous execution" design flaw in Cursor Agent Mode. Attackers deploy seemingly legitimate MCP services (e.g., Slack integrations, GitHub API proxies), hide instructions in the returned data, and induce the Cursor Agent to automatically modify the MCP configuration to a malicious script. Since the Agent executes by default without secondary validation, the hacker can create a persistent RCE backdoor without the developer's knowledge.
2.4 Event 3: File Name Case Bypass - CVE-2025-59944
detection mechanism: Lakera
severity: High
restoration version: Cursor 1.7+
Vulnerability Principles:
Cursor protection rules (case sensitive):
protected_files = [
".cursor/mcp.json".
".vscode/tasks.json".
...
]
if (path in protected_files) {
show_approval_prompt() // show approval dialogs
}
Problem: Windows/macOS file system is not case sensitive
Bypass method: 
CVE-2025-59944 Filename Case Bypass This vulnerability exposes a common misconception about Cursor: the assumption that all operating systems are case-sensitive. An attacker creates .cUrSoR/mcp.json (mixed case), which on Windows and macOS is automatically parsed by the OS as .cursor/ - completely bypassing Cursor's protection checks. Cursor's .cursorignore only protects against the exact lowercase .cursor/, causing malicious configurations to be loaded silently.
Affected platforms:
- macOS: HFS+ (case insensitive)
- Windows: NTFS (case insensitive)
- Linux: ext4 (case sensitive ✗ not affected)
2.5 Incident 4: Malicious Extended Supply Chain - $500K Cryptocurrency Theft
timing: July 2025
source (of information etc): Open VSX Registry (unofficial)
downloads: 50,000+ times
damages:: ~$500,000 USD
Case Study:
This incident demonstrates the biggest risk in the development tools market. Attackers posted a fake "Solidity Language Support" extension (50,000+ downloads) on the VS Code Marketplace, tricking developers into installing it. Once the extension is activated, a hidden PowerShell script downloads the ScreenConnect backdoor and establishes remote access. The Quasar RAT (Remote Access Trojan) and Stealer programs are then deployed to automatically scan browser password vaults, email clients, and cryptocurrency wallets. Eventually, the attacker obtains the wallet seed phrase and transfers all crypto assets. The entire process took only 1 hour from installation to complete compromise, resulting in $500K+ of damage.
Why it works.:
- ✗ Open VSX Registry does not force extended signature validation
- ✗ Cursor does not validate extension sources by default (extensions.verifySignature = false)
- ✗ Developer trust registry (looks official)
- ✗ Code is hidden in the compilation product
2.6 Incident 5: npm package supply chain - 3200+ developer code leaks
timing: May 2025
malicious packet:sw-cur, sw-cur1, aiide-cur
downloads: Sustained growth (pre-discovery)
casualty:: 3200+ developers
Social engineering analysis:
This is the most alarming supply chain attack of 2025. Taking advantage of developers' cost-optimization mentality, the attacker publishes sw-cur ("the cheapest Cursor API wrapper") in npm, appearing to provide a legitimate API cost-containment solution. However, when developers execute require('sw-cur'), the hidden payload silently steals sensitive information such as .env, SSH private keys, AWS credentials, bash history, and installs keyloggers. After an infected developer commits code, all downstream developers who clone the repository and run npm install are also infected. In less than 24 hours, the attacker obtains the complete credentials of 3200+ developers, and then hacks into the corporate intranet, steals all the source code, and even injects malicious code into the customer's product to achieve supply chain contamination.
2.7 Incident 6: Budget Depletion Attack
timing: December 2025
organization: OX Security (research team)
Discover the background: Developer accidentally burns through monthly budget, prompting investigation
Deep Link Attack - Cursor Budget Explosion Complete Link is the most economically devastating attack in Cursor 2025.
Attackers construct malicious deep chains :
cursor://deeplink?action=setUsageLimit&value=1000000
cursor://deeplink?action=startInfiniteRequests&model=gpt4
Share it with the user via email or Slack. When the user clicks on it, the Cursor app automatically opens and silently performs a series of actions: injects parameters, opens the Command Palette, navigates to the Billing page, and changes the monthly budget limit to $1,000,000. the key drawback is that these actions don't require any validation, nor do they need to be approved by an administrator. The second deep chain then triggers an infinite request loop, consuming millions of Token in just 5 minutes, incurring $1M+ in API fees. Enterprise accounts were immediately locked out, leading to service disruptions, financial audits, and possible data breach investigations.
Results:
- Millions of tokens consumed in an instant.
- Costs have skyrocketed to $1M+.
- Business accounts locked
III. Guidelines for enterprise security configuration
3.1 Data Protection Layer - Privacy Mode and Rules
Cursor based on VSCODE development , the user can use agent, ask, edit mode in the development process for ai auxiliary development .
Security Specification and Configuration
Must] comply with the security norms, prohibit the transmission of high third-class code, enterprises should develop code repository classification and grading, such as high, medium, low, code leakage may lead to the company's heavy loss of the proposal to prohibit the use of Cursor, only medium and low-risk code repository use, will not give the company's business, algorithms, secret keys and other core critical infrastructure with significant risk.
You must manually turn on "Privacy Mode."
Configuration item:
Setting path: Settings → Features → Privacy Mode
Status: ✓ Enabled (all developers)
Verify the command line:
# Checking Privacy Mode configuration in settings.json
cat ~/.cursor/settings.json | grep -i privacy
# Expected output
"privacy.mode": true
Privacy Mode coverage:
✓ Code data: zero persistent storage in the Cursor server
✓ Model training: no longer used for any model training
✓ Vector embedding: only temporarily stored in memory (deleted after request completion)
✓ Logging: all logging functions are no-op (no operation)
Interaction of Codebase Indexing with Privacy Mode:
Cost vs. performance tradeoffs:
Performance may be degraded when Privacy Mode is enabled 5-10%(because precomputed cache embedding cannot be used)
Enterprise-level advice:
- Data Sensitivity ≥ INTERNAL: Enable Privacy Mode
- Code contains customer data/PII: must be enabled
- Financial/medical/government sector: must enable + use of self-deployment models
3.1.2 Codebase Indexing Configuration and Risk Assessment
[Required] Define files/directories that are not allowed to be read and indexed by the AI.Following the Cursor's own"ignore file"Mechanism to create a ".cursorignore" file in the codebase with the same syntax as .gitignore, internally defining code files or directories that are not allowed to be used by the AI index.
⚠️ Note: [you need to create the .cursorignore file and define the files that are not allowed to be accessed before importing the code directory in Cursor]
The .cursorignore example is shown below:
After the .cursorignore file has been created and written, then the cursor import code directory
Files that hit .cursorignore are not selectable in AI contextual references
A matrix of three scenario configurations for the enterprise level:
| norm | Configuration 1: Zero Trust | Configuration 2: Balanced (recommended) | Configuration 3: High performance (non-sensitive) |
|---|---|---|---|
| Codebase Index | ❌ OFF | ✅ ON | ✅ ON |
| Privacy Mode | ✅ ON (mandatory) | ✅ ON (mandatory) | ⚠️ OFF (approval required) |
| Sensitive document exclusion | preclude all | .cursorignore Configuration | No special configuration |
| semantic search | ❌ Not available | ✅ Limited availability* | ✅ Fully available |
| Code Completion Quality | 🟡 Medium | 🟢 High | 🟢 Best |
| Performance Impact | ↓ 20-30% | ↓ 5-10% | ↑ Optimal |
| data privacy | 🟢 Highest | 🟢 High | 🟠 Medium |
| compliance risk | ✅ GDPR/SOC2 Adopted | ✅ GDPR/SOC2 Adopted | ⚠️ Risk assessment required |
| (manufacturing, production etc) costs | Minimum (no Turbopuffer) | moderate | High (Turbopuffer storage)** |
| Applicable industries | Finance, healthcare, government | General Enterprise Applications | Open source, non-sensitive prototypes |
| user experience | infrastructural | favorable | surpassing |
| Managing complexity | lower (one's head) | moderate | your (honorific) |
* When Privacy Mode is ON, the index contains only the code structure, not the full source code.
3.1.3 Sensitive file isolation with .cursorignore
[Required] Disable the direct use of external rules files.
1. cursor's rules function
https://docs.cursor.com/context/rules
Rules are categorized into: user rules, project rules
| Set user rules: ask for "I am not chatgpt".
Set project rules: require "I am deepseek" to be output. | The answer will be based on the rules of the RULES when chatting: |
# .cursorignore Example configuration (placed in project root directory)
Customization via .cursorrules allows continued exploration of application security constraints
refer to:https://github.com/PatrickJS/awesome-cursorrules
Cursor exclusion file method
refer to:https://cursor.com/cn/docs/context/ignore-files#-1
Example:
.cursorignore
config.json # Specific file
dist/ # Directory
*.log # File extension
**/logs # Nested directories
!app/ # Exclude from ignore (negate)
Configuration check
Cursor Settings → Codebase Indexing → Excluded Patterns
3.2 MCP Trust Management - Zero Trust Architecture
3.2.1 MCP governance framework (key)
MCP Zero Trust GovernanceCriteria:
Core principles:
Default Deny: All MCP servers are denied by default.
Explicit Approve: must be explicitly approved on a case-by-case basis
Regular Review: periodic review and rotation
Immutable Audit: audit logs cannot be tampered with
4-layer defense framework:
3.2.2 MCP Profile Management
Example: Enterprise .cursor/rules/mcp.json
{
"version": "1.0",
"mcpServers": {
"github-api": {
"command": "/opt/mcp-servers/github-wrapper.sh",
"args": ["-token", "${GITHUB_TOKEN}"],
"env": {
"ALLOWED_REPOS": "org/repo1,org/repo2",
"MAX_API_CALLS": "100"
},
"sandboxConfig": {
"network": {
"allowedDomains": ["api.github.com", "github.com"],
"maxBandwidth": "5Mbps"
},
"filesystem": {
"readOnly": ["/app/config"],
"temporary": ["/tmp"]
}
},
"approvalInfo": {
"approvedBy": "security@company.com",
"approvalDate": "2026-01-15T10:30:00Z",
"approvalHash": "sha256:abc123...",
"expirationDate": "2026-01-15T10:30:00Z",
"reviewNotes": "Used for automatic code review comments"
}
},
"custom-plugin": {
"comment":"❌ DEPRECATED - REMOVED BY 2026-02-01".
"command": "/opt/mcp/deprecated.sh",
"sandboxConfig": { "disabled": true }
}
},
"trustSettings": {
"requireReapprovalOnConfigChange": true,
"reapprovalIntervalDays": 90,
"auditLogPath": "/var/log/cursor-mcp-audit.json"
}
}
IV. Enterprise implementation checklist and best practices
4.1 Enterprise implementation checklist
Cursor_Security_Hardening_Master_Checklist
Result: Reduced risk of known Cursor IDE attacks on 95%+
4.2 Developer operating practices
Developer's Guide to Safe Use of Cursor
## Must Know (5)
✅ Privacy Mode must be enabled Settings → Privacy Mode → Enabled
✅ MCPs can only use approved listsCheck the internal Wiki. Want to use the new MCP?
✅ Extensions installed only from the official VS Code Marketplace Prohibited from using Open VSX or other sources, found useful extensions in Open VSX? Feedback to the Security Team
✅ Don't provide the key in the code or in the prompt.Use environment variable: process.env.API_KEY Do not hardcode: sk_live_1234567890abcdef (❌ error)
✅ Periodically check if .cursorignore is valid
Validation: Cursor Settings → Codebase Indexing → Ignored Patterns
Should contain all sensitive files (.env, *.pem, passwords, etc.)
Cursor security is not only a technical issue, it is alsoOrganizational Culture and ProcessesThe manifestation of this. It is recommended that companies assess their current maturity level based on SAMM (Software Assurance Maturity Model) and develop an incremental hardening program. While pursuing development efficiency, theSafety always comes first..
V. References
[1] (2026). Keeping your source code and developer environment secure. https://cursor.com/security
[2] (2025). Privacy Mode: Zero Data Retention. https://cursor.com/docs/privacy-mode
[3] (2025). Enterprise SSO and team management. https://cursor.com/teams
[4] (2025).Cursor Windsurf Google Antigravity Supply Chain Attack Analysis. https://www.cncso.com/ai-ide-cursor-windsurf-google-antigravity-report.html
Original article by Chief Security Officer, if reproduced, please credit https://www.cncso.com/en/cursor-ide-secure-development-guide.html
