Cursor CurXecute workspace-write to RCE (CVE-2025-54135)
CurXecute showed how a workspace-file write path in Cursor could become remote code execution.
Affected systems
Coding agents
Primary threats
Capability Escalation, Tool Misuse
Impact types
Remote code execution, Repository trust collapse
CVEs
Not specified
What an auditor should now check
- Map writable files that can later influence shell, build, or IDE execution
- Check whether repo files are incorrectly treated as trusted inputs
- Verify that post-write execution requires fresh approval and provenance checks
Why this matters
Coding agents collapse repository trust and execution. Once a writable workspace can shape later execution, prompt-to-sink chains become practical.
What happened
A writable workspace path became a route to remote code execution. The exploit did not require direct shell control from the start; it only needed influence over files that later shaped execution.
Why the classification matters
This is why coding-agent audits must inventory delayed sinks like hooks, shell config, task runners, and CI files.
What an auditor should now check
- Whether the agent can write files that later become executable or policy-bearing
- Whether repository trust boundaries are explicit and enforced
- Whether users review the actual modified files, not only a coarse task label
Zealynx takeaway
For coding agents, file write authority is often just pre-execution authority with a time delay.
Control implications
- Treat workspace writes as potential delayed execution primitives
- Enforce file-scope policy around shell profiles, configs, hooks, and CI files
- Require revalidation before executing newly written content
Affected systems
- Coding agents
Impact types
- Remote code execution
- Repository trust collapse