Overview
A set of critical vulnerabilities collectively named DuneSlide have been disclosed in Cursor, the widely-used AI-powered code editor. The flaws enable zero-click prompt injection attacks capable of escaping the application’s sandbox and executing arbitrary code directly on the underlying operating system. Given that Cursor is deeply integrated into developer workflows — with agentic capabilities that can read, write, and execute files — these vulnerabilities represent one of the most severe AI-native attack surfaces disclosed to date.
Technical Analysis
The DuneSlide vulnerability chain exploits weaknesses in how Cursor processes and renders LLM-generated content. At a high level, the attack flow is:
Prompt Injection Entry Point: Malicious instructions are embedded in content the AI model is asked to process — such as a README file, code comment, or repository documentation. Because no explicit user action is required to trigger the injection, the attack is classified as zero-click.
Sandbox Escape: Cursor’s AI agent operates with elevated trust relative to standard browser-based sandboxes. The injected prompt manipulates the agent into invoking system-level APIs or shell commands, bypassing intended sandboxing controls.
OS-Level Code Execution: Once sandbox boundaries are broken, the attacker achieves arbitrary command execution in the context of the developer’s operating system user account — granting access to credentials, source code, SSH keys, cloud tokens, and any other locally accessible resources.
The zero-click nature of the attack is particularly alarming: a developer simply opening a maliciously crafted repository or file is sufficient to trigger the full exploit chain.
Framework Mapping
| Framework | Technique | Rationale |
|---|---|---|
| MITRE ATLAS | AML.T0051 - LLM Prompt Injection | Core attack vector using adversarial prompts |
| MITRE ATLAS | AML.T0047 - ML-Enabled Product | Cursor is the vulnerable AI-enabled surface |
| MITRE ATLAS | AML.T0043 - Craft Adversarial Data | Malicious files crafted to trigger injection |
| MITRE ATLAS | AML.T0010 - ML Supply Chain Compromise | Potential for poisoned repos to act as delivery |
| OWASP | LLM01 - Prompt Injection | Direct exploitation via injected instructions |
| OWASP | LLM08 - Excessive Agency | Agent acts beyond intended trust boundaries |
| OWASP | LLM02 - Insecure Output Handling | LLM output interpreted as executable instructions |
Impact Assessment
- Directly Affected: All developers running unpatched versions of Cursor AI on macOS, Windows, or Linux.
- Blast Radius: Because developers typically hold privileged access to codebases, cloud environments, and internal infrastructure, a successful compromise could pivot rapidly into broader organisational breaches.
- Supply Chain Risk: Malicious repositories or open-source packages could be weaponised to silently compromise any developer who opens them in Cursor — creating a scalable, low-noise attack vector aligned with supply chain intrusion campaigns.
- Severity: OS-level RCE with zero-click exploitation warrants a CRITICAL classification under any standard risk framework.
Mitigation & Recommendations
- Patch immediately: Apply the latest Cursor update. Verify the patched version addresses DuneSlide CVEs before resuming use.
- Restrict agent permissions: Limit Cursor’s agentic features from accessing sensitive directories, environment files (
.env), and credential stores. - Treat untrusted repos as hostile: Do not open third-party or unverified repositories in Cursor without first reviewing them in a sandboxed environment.
- Monitor for anomalous subprocess activity: Use endpoint detection tools to flag unusual child processes spawned by Cursor.
- Review CI/CD integrations: If Cursor or similar AI IDEs are used in automated pipelines, audit the trust boundary between AI suggestions and execution.