{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-49150", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-06-02T10:39:41.635Z", "datePublished": "2025-06-11T17:49:43.910Z", "dateUpdated": "2025-06-11T18:19:11.056Z"}, "containers": {"cna": {"title": "Cursor Agent Potentially Leaks Information using JSON schema", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/getcursor/cursor/security/advisories/GHSA-9h3v-h59j-v6rj", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/getcursor/cursor/security/advisories/GHSA-9h3v-h59j-v6rj"}], "affected": [{"vendor": "getcursor", "product": "cursor", "versions": [{"version": "< 0.51.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-11T17:49:43.910Z"}, "descriptions": [{"lang": "en", "value": "Cursor is a code editor built for programming with AI. Prior to 0.51.0, by default, the setting json.schemaDownload.enable was set to True. This means that by writing a JSON file, an attacker can trigger an arbitrary HTTP GET request that does not require user confirmation. Since the Cursor Agent can edit JSON files, this means a malicious agent, for example, after a prompt injection attack already succeeded, could trigger a GET request to an attacker controlled URL, potentially exfiltrating other data the agent may have access to. This vulnerability is fixed in 0.51.0."}], "source": {"advisory": "GHSA-9h3v-h59j-v6rj", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-11T18:18:57.274075Z", "id": "CVE-2025-49150", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-11T18:19:11.056Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-49150", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-06-11T18:18:57.274075Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-11T18:19:00.793Z"}}], "cna": {"title": "Cursor Agent Potentially Leaks Information using JSON schema", "source": {"advisory": "GHSA-9h3v-h59j-v6rj", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "getcursor", "product": "cursor", "versions": [{"status": "affected", "version": "< 0.51.0"}]}], "references": [{"url": "https://github.com/getcursor/cursor/security/advisories/GHSA-9h3v-h59j-v6rj", "name": "https://github.com/getcursor/cursor/security/advisories/GHSA-9h3v-h59j-v6rj", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Cursor is a code editor built for programming with AI. Prior to 0.51.0, by default, the setting json.schemaDownload.enable was set to True. This means that by writing a JSON file, an attacker can trigger an arbitrary HTTP GET request that does not require user confirmation. Since the Cursor Agent can edit JSON files, this means a malicious agent, for example, after a prompt injection attack already succeeded, could trigger a GET request to an attacker controlled URL, potentially exfiltrating other data the agent may have access to. This vulnerability is fixed in 0.51.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-06-11T17:49:43.910Z"}}}, "cveMetadata": {"cveId": "CVE-2025-49150", "state": "PUBLISHED", "dateUpdated": "2025-06-11T18:19:11.056Z", "dateReserved": "2025-06-02T10:39:41.635Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-06-11T17:49:43.910Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Cursor is a code editor built for programming with AI. Prior to 0.51.0, by default, the setting json.schemaDownload.enable was set to True. This means that by writing a JSON file, an attacker can trigger an arbitrary HTTP GET request that does not require user confirmation. Since the Cursor Agent can edit JSON files, this means a malicious agent, for example, after a prompt injection attack already succeeded, could trigger a GET request to an attacker controlled URL, potentially exfiltrating other data the agent may have access to. This vulnerability is fixed in 0.51.0."}, {"lang": "es", "value": "Cursor es un editor de c\u00f3digo dise\u00f1ado para programar con IA. Antes de la versi\u00f3n 0.51.0, la configuraci\u00f3n predeterminada de json.schemaDownload.enable era \"True\". Esto significa que, al escribir un archivo JSON, un atacante puede activar una solicitud HTTP GET arbitraria que no requiere confirmaci\u00f3n del usuario. Dado que Cursor Agent puede editar archivos JSON, un agente malicioso, por ejemplo, tras un ataque de inyecci\u00f3n de prompt exitoso, podr\u00eda activar una solicitud GET a una URL controlada por el atacante, lo que podr\u00eda exfiltrar otros datos a los que el agente podr\u00eda tener acceso. Esta vulnerabilidad se corrigi\u00f3 en la versi\u00f3n 0.51.0."}], "id": "CVE-2025-49150", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.9, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-06-11T18:15:26.400", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/getcursor/cursor/security/advisories/GHSA-9h3v-h59j-v6rj"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{}