LIVE FEED
FIRST LOOK First Look: Chinese AI Firms Launch LLMs Rivalling US Frontier Models in Capability // CRITICAL LLM Agents Weaponised to Deliver Ransomware via Langflow Platform // HIGH Poisoned MCP Tool Descriptions Enable Silent Data Exfiltration via AI Agents // HIGH Fake Bug Reports Weaponised to Hijack AI Coding Agents at Scale // CRITICAL Zero-Click Prompt Injection Flaws in Cursor IDE Enable OS-Level Code Execution // FIRST LOOK First Look: Current AI Launches Open Source AI Gap Map Indexing 421 Projects // HIGH DeepSeek Turns LLM Hallucination Into Working Browser-Only Ransomware Technique // CRITICAL Prompt Injection Chain Breaks Cursor AI Sandbox, Enables Full RCE // FIRST LOOK First Look: Open-Source Tool Lets Claude and Any LLM Watch Videos Locally // FIRST LOOK First Look: Enterprise IGA Platforms Expose Structural Gaps as AI Agents Proliferate //
ATLAS OWASP CRITICAL Active exploitation · Immediate action required RELEVANCE ▲ 9.2

Zero-Click Prompt Injection Flaws in Cursor IDE Enable OS-Level Code Execution

TL;DR CRITICAL
  • What happened: DuneSlide flaws in Cursor AI IDE allow zero-click prompt injection leading to full OS-level code execution.
  • Who's at risk: Software developers using Cursor AI are directly exposed, as exploitation requires no user interaction and targets the developer's local machine.
  • Act now: Update Cursor IDE to the latest patched version immediately · Restrict Cursor's access to sensitive filesystem directories and environment variables · Audit AI-generated code suggestions and agent actions before execution in CI/CD pipelines
Zero-Click Prompt Injection Flaws in Cursor IDE Enable OS-Level Code Execution

Overview

A set of critical vulnerabilities collectively named DuneSlide have been disclosed in Cursor, the widely-used AI-powered code editor. The flaws enable zero-click prompt injection attacks capable of escaping the application’s sandbox and executing arbitrary code directly on the underlying operating system. Given that Cursor is deeply integrated into developer workflows — with agentic capabilities that can read, write, and execute files — these vulnerabilities represent one of the most severe AI-native attack surfaces disclosed to date.

Technical Analysis

The DuneSlide vulnerability chain exploits weaknesses in how Cursor processes and renders LLM-generated content. At a high level, the attack flow is:

  1. Prompt Injection Entry Point: Malicious instructions are embedded in content the AI model is asked to process — such as a README file, code comment, or repository documentation. Because no explicit user action is required to trigger the injection, the attack is classified as zero-click.

  2. Sandbox Escape: Cursor’s AI agent operates with elevated trust relative to standard browser-based sandboxes. The injected prompt manipulates the agent into invoking system-level APIs or shell commands, bypassing intended sandboxing controls.

  3. OS-Level Code Execution: Once sandbox boundaries are broken, the attacker achieves arbitrary command execution in the context of the developer’s operating system user account — granting access to credentials, source code, SSH keys, cloud tokens, and any other locally accessible resources.

The zero-click nature of the attack is particularly alarming: a developer simply opening a maliciously crafted repository or file is sufficient to trigger the full exploit chain.

Framework Mapping

FrameworkTechniqueRationale
MITRE ATLASAML.T0051 - LLM Prompt InjectionCore attack vector using adversarial prompts
MITRE ATLASAML.T0047 - ML-Enabled ProductCursor is the vulnerable AI-enabled surface
MITRE ATLASAML.T0043 - Craft Adversarial DataMalicious files crafted to trigger injection
MITRE ATLASAML.T0010 - ML Supply Chain CompromisePotential for poisoned repos to act as delivery
OWASPLLM01 - Prompt InjectionDirect exploitation via injected instructions
OWASPLLM08 - Excessive AgencyAgent acts beyond intended trust boundaries
OWASPLLM02 - Insecure Output HandlingLLM output interpreted as executable instructions

Impact Assessment

  • Directly Affected: All developers running unpatched versions of Cursor AI on macOS, Windows, or Linux.
  • Blast Radius: Because developers typically hold privileged access to codebases, cloud environments, and internal infrastructure, a successful compromise could pivot rapidly into broader organisational breaches.
  • Supply Chain Risk: Malicious repositories or open-source packages could be weaponised to silently compromise any developer who opens them in Cursor — creating a scalable, low-noise attack vector aligned with supply chain intrusion campaigns.
  • Severity: OS-level RCE with zero-click exploitation warrants a CRITICAL classification under any standard risk framework.

Mitigation & Recommendations

  1. Patch immediately: Apply the latest Cursor update. Verify the patched version addresses DuneSlide CVEs before resuming use.
  2. Restrict agent permissions: Limit Cursor’s agentic features from accessing sensitive directories, environment files (.env), and credential stores.
  3. Treat untrusted repos as hostile: Do not open third-party or unverified repositories in Cursor without first reviewing them in a sandboxed environment.
  4. Monitor for anomalous subprocess activity: Use endpoint detection tools to flag unusual child processes spawned by Cursor.
  5. Review CI/CD integrations: If Cursor or similar AI IDEs are used in automated pipelines, audit the trust boundary between AI suggestions and execution.

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.