The AI security company Mindgard has identified a serious vulnerability in the Cursor application for Windows, which allows for arbitrary code execution. This flaw was reported to Cursor on December 15, 2025, but remains unpatched. The exploit occurs when a file named git.exe is present in the root of a cloned repository, which Cursor executes without any user interaction or warnings.
Details of the Vulnerability
The vulnerability arises from Cursor’s search mechanism for Git binaries when loading a project. If a binary named git.exe exists in the project root, Cursor will execute it, granting the binary access to the user’s resources and credentials. This flaw allows attackers to execute code with the same permissions as the logged-in user, simply by opening a maliciously crafted repository.
Mindgard demonstrated this vulnerability using a proof of concept where they renamed the Windows Calculator to git.exe and added it to a repository’s root. Upon opening the repository in Cursor, the calculator was executed repeatedly, highlighting the ease of exploitation.
Response and Mitigation
Despite the severity of the issue, Cursor has yet to release a fix, and no advisory has been published. Mindgard suggests several workarounds, such as using AppLocker or Windows App Control to block the execution of suspicious binaries within workspace roots. Additionally, they recommend developers use disposable VMs or Windows Sandbox for opening untrusted repositories to mitigate potential risks.
Cursor’s initial response to Mindgard’s report was delayed, and subsequent correspondence showed little progress toward resolving the issue. This has led Mindgard to disclose the vulnerability publicly after exhausting other options.
Impact on Other Platforms
This vulnerability is not unique to Cursor. Similar issues have been identified in other AI tools like GitHub Copilot CLI, Gemini CLI, and Codex desktop app. These applications also execute binaries from the current working directory before checking trusted system paths. However, no patches have been issued by these vendors either.
In contrast, AWS addressed a related issue in its Kiro tool by patching a separate file-write vulnerability, demonstrating that some vendors are taking steps to improve security.
Conclusion and Outlook
This vulnerability highlights a significant security gap in how some development tools handle executable files within repositories. As cloning repositories is a common practice among developers, the potential for exploitation is high. Until a patch is released, developers are advised to treat cloned repositories as potentially harmful content and apply recommended workarounds to protect their systems.
