Information disclosure in Anysphere Cursor
CVE-2025-61589
Cursor is a code editor built for programming with AI. In versions 1.6 and below, Mermaid (a to render diagrams) allows embedding images which then get rendered by Cursor in the chat box. An attacker can use this to exfiltrate sensitive in…
Vulnerability class: Information Disclosure
EPSS: 0.003 (19.1th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.9 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N.
Affected products
- Anysphere Cursor
- Cursor — versions < 1.7
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM, Vendor Advisory)
- security-advisories@github.com (x_refsource_MISC, Not Applicable)
Frequently asked questions
- What is CVE-2025-61589?
- CVE-2025-61589 is a medium-severity vulnerability in Anysphere Cursor, classified under Information Disclosure. CVSS score: 5.9/10. Published 2025-10-03.
- How severe is CVE-2025-61589?
- Medium severity. CVSS v3 base score is 5.9 out of 10.