CVE-2025-61589

MEDIUM

Cursor < 1.7 - Unauthorized Sensitive Information Exposure via Mermaid Image Embedding

Title source: llm

Description

Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive information to a third-party attacker controlled server through an image fetch after successfully performing a prompt injection. A malicious model (or hallucination/backdoor) might also trigger this exploit at will. This issue requires prompt injection from malicious data (web, image upload, source code) in order to exploit. In that case, it can send sensitive information to an attacker-controlled external server. Some additional bypasses not covered in the initial fix to this issue were discovered, see GHSA-43wj-mwcc-x93p. This issue is fixed in version 1.7.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/cursor/cursor/security/advisories/GHSA-xw2x-252g-97w2

Not Applicable x_refsource_misc

https://github.com/cursor/cursor/security/advisories/GHSA-43wj-mwcc-x93p

Scores

CVSS v3 5.9

EPSS 0.0027

EPSS Percentile 18.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (1)

anysphere/cursor < 1.7

Published Oct 03, 2025

Tracked Since Feb 18, 2026