Arbitrary HTTP GET Request in Cursor Code Editor by GetCursor
CVE-2025-49150

5.9MEDIUM

Key Information:

Vendor: Getcursor
Status: Cursor
Vendor: CVE Published:; 11 June 2025

What is CVE-2025-49150?

A vulnerability in the Cursor code editor, prior to version 0.51.0, allows attackers to trigger unauthorized HTTP GET requests by manipulating JSON files. By default, the json.schemaDownload.enable setting was enabled, which could be exploited in scenarios where an attacker has previously succeeded in prompt injection. This could lead to data exfiltration from the Cursor Agent if it has access to sensitive information. It is crucial for users to update to version 0.51.0 or higher to mitigate this security issue.

Affected Version(s)

cursor < 0.51.0

References

https://github.com/getcursor/cursor/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2025
Vulnerability Reserved
Jun 2, 2025

Getcursor

What is CVE-2025-49150?

Affected Version(s)

References

CVSS V3.1

Timeline