AI Security AI安全 7d ago Updated 7d ago 更新于 7天前 53

Critical Cursor AI Code Editor Flaws Could Lead to OS-Level Remote Code Execution Cursor AI代码编辑器关键缺陷可能导致操作系统级远程代码执行

Two critical vulnerabilities (CVE-2026-50548, CVE-2026-50549) in the Cursor AI code editor allow attackers to escape the IDE's sandbox and achieve Remote Code Execution (RCE) on the host operating system. The first flaw exploits automatic terminal command execution by manipulating the `working_directory` parameter to add arbitrary paths to the allow list, enabling overwrites of the `cursorsandbox` executable. The second flaw leverages symbolic links and flawed path canonicalization logic to bypa 知名AI代码编辑器Cursor被发现存在两个严重安全漏洞(CVE-2026-50548/50549),统称为“DuneSlide”,可导致远程代码执行(RCE)。 漏洞利用Cursor沙箱内自动终端命令执行无需用户确认的缺陷,攻击者可通过提示词注入绕过工作目录限制。 第二个漏洞涉及文件路径解析逻辑缺陷,攻击者可利用符号链接绕过越界写入保护,再次获取沙箱外执行权限。 这两个漏洞允许恶意MCP服务器请求或提示词注入指令LLM设置非默认工作目录或创建符号链接,从而破坏IDE的安全边界。 Cursor已在3.0版本(4月2日发布)中修复了这两项漏洞,CVSS评分高达9.8,属于高危风险。

75
Hot 热度
70
Quality 质量
85
Impact 影响力

Analysis 深度分析

TL;DR

  • Two critical vulnerabilities (CVE-2026-50548, CVE-2026-50549) in the Cursor AI code editor allow attackers to escape the IDE's sandbox and achieve Remote Code Execution (RCE) on the host operating system.
  • The first flaw exploits automatic terminal command execution by manipulating the working_directory parameter to add arbitrary paths to the allow list, enabling overwrites of the cursorsandbox executable.
  • The second flaw leverages symbolic links and flawed path canonicalization logic to bypass out-of-bounds write protections, allowing attackers to redirect writes to sensitive system files.
  • Both issues stem from prompt injection attacks where an attacker-controlled payload instructs the LLM to execute malicious system commands without user approval.
  • Cursor released patches for these vulnerabilities in version 3.0 on April 2, addressing the security boundaries and file path resolution logic.

Why It Matters

This incident highlights the severe security risks associated with AI agents that have autonomous access to system resources, particularly when they can execute commands without explicit human verification. It demonstrates how prompt injection can escalate from simple text manipulation to full system compromise, serving as a cautionary tale for developers building AI-integrated tools with shell or filesystem access.

Technical Details

  • Sandbox Escape via Working Directory Manipulation: The first vulnerability allows an attacker to inject a prompt that sets the working_directory to an arbitrary path. This path is incorrectly added to the allow list, permitting command execution outside the intended project scope. By overwriting the cursorsandbox executable, subsequent commands run without sandbox restrictions.
  • Symbolic Link Exploitation: The second vulnerability involves a flaw in the IDE's file path resolution. When creating symlinks, the agent fails to correctly canonicalize the path, falling back to the original symlink path instead of the resolved target. This allows the creation of write-only symlinks that bypass out-of-bounds detection, enabling writes to restricted locations like the cursorsandbox executable.
  • Automatic Command Execution: Both vulnerabilities exploit Cursor’s feature of automatically executing terminal commands within the sandbox without prompting the user for approval, removing a critical layer of defense against malicious instructions.
  • CVSS Score: Both vulnerabilities are rated 9.8 (Critical), indicating a high likelihood of exploitation and severe impact on confidentiality, integrity, and availability.

Industry Insight

  • Zero-Trust for AI Agents: Developers must implement strict zero-trust principles for AI agents interacting with system resources. Autonomous command execution should be deprecated or require explicit, multi-factor user confirmation, especially for operations affecting system binaries or directories outside the project scope.
  • Robust Path Canonicalization: Security audits for AI-driven tools must include rigorous testing of file path handling, particularly regarding symbolic links and relative path resolution. Ensuring that the resolved target path is always verified against allow lists is critical to preventing bypasses.
  • Supply Chain and IDE Security: As AI coding assistants become more integrated into development workflows, securing the IDE itself is paramount. Vendors must prioritize secure-by-design architectures that isolate AI-generated actions from critical system functions to prevent prompt injection from leading to remote code execution.

TL;DR

  • 知名AI代码编辑器Cursor被发现存在两个严重安全漏洞(CVE-2026-50548/50549),统称为“DuneSlide”,可导致远程代码执行(RCE)。
  • 漏洞利用Cursor沙箱内自动终端命令执行无需用户确认的缺陷,攻击者可通过提示词注入绕过工作目录限制。
  • 第二个漏洞涉及文件路径解析逻辑缺陷,攻击者可利用符号链接绕过越界写入保护,再次获取沙箱外执行权限。
  • 这两个漏洞允许恶意MCP服务器请求或提示词注入指令LLM设置非默认工作目录或创建符号链接,从而破坏IDE的安全边界。
  • Cursor已在3.0版本(4月2日发布)中修复了这两项漏洞,CVSS评分高达9.8,属于高危风险。

为什么值得看

这篇文章揭示了当前流行的AI编程助手在集成终端执行和文件系统操作时面临的严峻安全挑战,特别是沙箱逃逸问题。对于开发者和企业而言,这强调了在使用AI代理处理代码时,必须严格审查其权限范围和输入来源,防止供应链攻击。

技术解析

  • 漏洞机制:两个漏洞均利用了Cursor IDE在沙箱环境中自动执行终端命令且不请求用户批准的机制。攻击者通过构造特定的提示词注入,诱导LLM执行危险操作,如修改工作目录或创建符号链接。
  • 沙箱边界绕过:第一个漏洞通过非默认的working_directory参数将路径加入白名单,使得命令可以在项目范围外的目录执行。攻击者随后可以覆盖cursorsandbox可执行文件,导致后续命令在无沙箱限制的情况下运行。
  • 符号链接攻击:第二个漏洞利用路径规范化逻辑中的边缘情况。攻击者创建指向外部文件的符号链接,由于代理在验证路径时回退使用原始符号链接路径而非解析后的目标路径,导致越界写入检测失效,进而再次链接到sandbox可执行文件以实现RCE。
  • 修复与时间线:Cato Networks于2月报告漏洞,Cursor在4月2日发布的3.0版本中提供了补丁,CVE ID于6月初分配。这表明从披露到修复存在一定的时间窗口,增加了被利用的风险。

行业启示

  • AI代理权限最小化原则:AI代码编辑器应严格限制其自动执行的命令范围,任何涉及文件系统修改或外部命令执行的操作都必须经过明确的显式用户确认,不能依赖默认信任。
  • 输入验证与沙箱强化:开发者需加强对LLM生成内容的输入验证,特别是针对路径解析、符号链接等系统级操作的边界检查。沙箱实现应更加健壮,防止通过元数据操纵(如工作目录参数)进行逃逸。
  • 供应链安全意识提升:随着AI工具深入开发流程,第三方插件(如MCP服务器)和提示词注入成为新的攻击面。企业和开发者应定期更新AI工具至最新版本,并对使用的AI服务和扩展进行安全审计。

Disclaimer: The above content is generated by AI and is for reference only. 免责声明:以上内容由 AI 生成,仅供参考。

Security 安全 Code Generation 代码生成 Programming 编程