CVE-2024-48919

Improper Input Validation (CWE-20)

Published: Oct 22, 2024 / Updated: 28d ago

010
CVSS 9.2EPSS 0.04%Critical
CVE info copied to clipboard

Summary

Cursor, a code editor built for programming with AI, had a vulnerability in its Terminal Cmd-K/Ctrl-K feature. If a user explicitly imported a malicious web page into the Terminal Cmd-K prompt, an attacker controlling the referenced web page could potentially influence a language model to output arbitrary commands for execution in the user's terminal. This vulnerability required the user to explicitly opt-in to including the contents of a compromised webpage, and it required the attacker to display prompt injection text in the contents of the compromised webpage.

Impact

This vulnerability could allow an attacker to execute arbitrary commands in the user's terminal, potentially leading to unauthorized access, data theft, or system compromise. The impact is severe as it could affect the confidentiality, integrity, and availability of the user's system. Given the CVSS v4 base score of 9.2 (Critical), this vulnerability is considered highly severe and could have significant consequences if exploited.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A server-side patch was released on September 27, 2024, within two hours of the issue being reported. This patch prevents streaming back newlines or control characters. Additionally, Cursor version 0.42 includes client-side mitigations to prevent any newline or control character from being streamed into the terminal directly. It also introduces a new setting, `"cursor.terminal.usePreviewBox"`, which, when enabled, streams the response into a preview box that requires manual acceptance before insertion into the terminal.

Mitigation

1. Update to Cursor version 0.42 or later, which includes client-side mitigations. 2. Enable the `"cursor.terminal.usePreviewBox"` setting for an additional layer of security, especially in shell environments where commands can be executed without pressing enter or any control character. 3. Apply the server-side patch, which has already been implemented, so no additional action is needed even on older versions of Cursor. 4. Follow the best practice recommended by Cursor's maintainers: only include trusted pieces of context in prompts. 5. Educate users about the risks of importing content from untrusted web pages into the Terminal Cmd-K prompt. 6. Implement strict content security policies to prevent the loading of malicious web pages within the Cursor environment.

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Timeline

CVE Assignment

NVD published the first details for CVE-2024-48919

Oct 22, 2024 at 9:15 PM
CVSS

A CVSS base score of 9.2 has been assigned.

Oct 22, 2024 at 9:20 PM / nvd
First Article

Feedly found the first article mentioning CVE-2024-48919. See article

Oct 22, 2024 at 9:21 PM / National Vulnerability Database
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 22, 2024 at 9:21 PM
EPSS

EPSS Score was set to: 0.04% (Percentile: 9.7%)

Oct 23, 2024 at 11:48 AM
Static CVE Timeline Graph

Links to Mitre Att&cks

T1562.003: Impair Command History Logging
+null more

Attack Patterns

CAPEC-10: Buffer Overflow via Environment Variables
+null more

News

CVE-2024-48919 - Exploits & Severity - Feedly
Additionally, Cursor 0.42 includes client-side mitigations to prevent any newline or control character from being streamed into the terminal directly. Prior to Sep 27, 2024, if a user generated a terminal command via Cursor's Terminal Cmd-K/Ctrl-K feature and if the user explicitly imported a malicious web page into the Terminal Cmd-K prompt, an attacker with control over the referenced web page could have a significant chance of influencing a language model to output arbitrary commands for execution in the user's terminal.
CVE-2024-48919
Additionally, Cursor 0.42 includes client-side mitigations to prevent any newline or control character from being streamed into the terminal directly. A server-side patch to not stream back newlines or control characters was released on September 27, 2024, within two hours of the issue being reported.
NA - CVE-2024-48919 - Cursor is a code editor built for programming...
Cursor is a code editor built for programming with AI. Prior to Sep 27, 2024, if a user generated a terminal command via Cursor's Terminal Cmd-K/Ctrl-K feature and if the user explicitly...
CVE-2024-48919 | getcursor up to 0.41 input validation (GHSA-rmj9-23rg-gr67)
A vulnerability was found in getcursor cursor up to 0.41 . It has been classified as very critical . Affected is an unknown function. The manipulation leads to improper input validation. This vulnerability is traded as CVE-2024-48919 . It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.
CVE-2024-48919 - "Cursor Terminal Cmd-K Web Page Code Injection Vulnerability"
Additionally, Cursor 0.42 includes client-side mitigations to prevent any newline or control character from being streamed into the terminal directly. Prior to Sep 27, 2024, if a user generated a terminal command via Cursor's Terminal Cmd-K/Ctrl-K feature and if the user explicitly imported a malicious web page into the Terminal Cmd-K prompt, an attacker with control over the referenced web page could have a significant chance of influencing a language model to output arbitrary commands for execution in the user's terminal.
See 5 more articles and social media posts

CVSS V3.1

Unknown

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI