
A recently disclosed vulnerability in the Cursor AI‑assisted development environment allows attackers to execute arbitrary code simply by placing a malicious file named git.exe in the root of a repository and then opening that project in Cursor. The flaw, identified by security researchers at Mindgard, affects the IDE’s extensive user base of over seven million developers and remains unpatched despite being reported to Cursor in December 2025.
The issue stems from how Cursor locates the git binary when a repository is loaded. If a rogue git.exe resides in the repository’s root directory, the IDE will execute it automatically, granting the attacker the same privileges as the user running Cursor. No complex payload or user interaction beyond opening the project is required, and the vulnerability does not currently have an assigned CVE identifier.
Mindgard’s analysis shows that the malicious git.exe can be any executable masquerading as the Git command‑line tool, making the attack trivial to deploy in compromised or poisoned repositories. Because Cursor does not validate the integrity or origin of the git binary it invokes, the flaw works on Windows installations where the IDE relies on a local git.exe rather than a bundled version. No CVSS score has been published, but the potential impact includes full system compromise.
To date there is no evidence of active exploitation in the wild, and no threat actors have been linked to the issue. However, the researcher’s frustration with Cursor’s lack of response after seven months of silence has led to full public disclosure in order to alert users and push for remediation. The absence of a coordinated patch leaves organisations relying on Cursor exposed to a straightforward supply‑chain style attack.
Defenders should immediately audit the location of git.exe used by Cursor and ensure that only trusted versions from authorised directories are allowed to run. Implementing application control policies such as Windows AppLocker to block execution of git.exe from unverified repository paths can prevent the malicious binary from launching. Additionally, isolating untrusted or third‑party repositories in separate workspaces or virtual machines reduces the chance of accidental execution.
Organisations are also advised to monitor process creation events for unexpected git.exe instances originating from user‑controlled folders and to consider disabling Cursor’s automatic detection of system git in favour of a vetted, bundled alternative until Cursor issues a fix. Staying informed through the researcher’s blog and the coverage from SecurityWeek and Dark Reading will help administrators track any future updates or mitigation guidance from the vendor.