CVE-2025-49150 is a medium severity vulnerability affecting versions of the Cursor code editor prior to 0.51.0. Cursor is an AI-assisted programming editor that supports JSON file editing and includes a feature controlled by the setting json.schemaDownload.enable, which was enabled by default before version 0.51.0. This setting allows the editor to automatically download JSON schemas via HTTP GET requests without requiring user confirmation. An attacker who can write or modify JSON files—potentially after a successful prompt injection attack on the Cursor Agent—can exploit this behavior to trigger arbitrary HTTP GET requests to attacker-controlled URLs. This can lead to exposure of sensitive information accessible to the Cursor Agent, as the GET request could include data exfiltration vectors embedded in the request parameters or headers. The vulnerability is classified under CWE-200, indicating exposure of sensitive information to unauthorized actors. The CVSS v3.1 score is 5.9 (medium severity), with the vector indicating network attack vector (AV:N), high attack complexity (AC:H), no privileges required (PR:N), no user interaction (UI:N), unchanged scope (S:U), high confidentiality impact (C:H), no integrity impact (I:N), and no availability impact (A:N). No known exploits in the wild have been reported as of the publication date (June 11, 2025). The vulnerability is fixed in Cursor version 0.51.0 by disabling or changing the default behavior of json.schemaDownload.enable to prevent automatic HTTP GET requests triggered by JSON file edits. This vulnerability highlights the risk of automated network requests triggered by user-editable files in AI-assisted development tools, especially when combined with other attack vectors like prompt injection that can manipulate the agent's behavior.

For European organizations using Cursor versions prior to 0.51.0, this vulnerability could lead to unauthorized disclosure of sensitive information accessible by the Cursor Agent. Since the attack requires no privileges or user interaction, it could be exploited remotely if an attacker can induce the agent to process malicious JSON files, for example through compromised repositories, shared project files, or supply chain attacks. The confidentiality impact is high, as sensitive data could be exfiltrated without detection. However, the attack complexity is high, requiring prior compromise or prompt injection to write malicious JSON files. The integrity and availability of systems are not affected. Organizations in sectors with high confidentiality requirements—such as finance, healthcare, and government—could face data leakage risks. Additionally, the use of AI-assisted coding tools is growing in European software development environments, increasing the potential attack surface. The lack of known exploits in the wild reduces immediate risk but does not eliminate it, especially as attackers may develop exploits over time. Overall, the vulnerability could undermine trust in AI-assisted development tools and lead to data breaches if not addressed promptly.

European organizations should immediately upgrade Cursor to version 0.51.0 or later to ensure the vulnerability is patched. If upgrading is not immediately possible, organizations should disable the json.schemaDownload.enable setting manually to prevent automatic HTTP GET requests triggered by JSON file edits. Implement strict controls on the sources of JSON files and other configuration files processed by Cursor, including repository access controls and file integrity monitoring, to prevent injection of malicious JSON content. Employ network-level monitoring and filtering to detect and block suspicious outbound HTTP GET requests from development environments. Educate developers and security teams about the risks of prompt injection attacks and the importance of validating AI-assisted tool inputs. Additionally, consider isolating AI-assisted development environments from sensitive data repositories or using network segmentation to limit potential data exfiltration paths. Regularly audit and monitor Cursor usage and update policies to incorporate security best practices for AI-assisted coding tools.