Open Repo, Get Pwned (Cursor RCE)

Oasis Security’s research team uncovered a vulnerability in Cursor, the popular AI Code Editor, that allows a maliciously crafted code repository to execute code as soon as it's opened using Cursor, no trust prompt. 

Cursor ships with Workspace Trust disabled by default, so VS Code-style tasks configured with runOptions.runOn: "folderOpen" auto-execute the moment a developer browses a project. A malicious .vscode/tasks.json turns a casual “open folder” into silent code execution in the user’s context. You can read the Oasis Security Research team’s full report and PoC here.

‍

The Vulnerability

Cursor ships with Workspace Trust turned off by default, which means a project can include a hidden “autorun” instruction that tells the IDE to execute a task the moment you open the folder: no prompt, no consent. An attacker who commits a malicious .vscode/tasks.json with a “run on folder open” setting can quietly run code in your session as soon as you browse the repo, allowing them to steal secrets, modify files, or phone home from your machine.

‍

Why it matters

Developer laptops inherit powerful access: cloud keys, PATs, API tokens, SaaS sessions. With autorun enabled by default, a booby-trapped repo can quickly pivot from one machine to CI/CD and cloud, including non-human identities that often carry broad permissions. 

‍

Who’s affected (and who isn’t)

• Affected: Cursor users running the default configuration (Workspace Trust off).
• Lower risk: Visual Studio Code with Workspace Trust enabled; autoruns are blocked until the user grants trust.

‍

Resolution

Cursor has stated that Workspace Trust can be enabled by end users and that updated security guidance will be published in the near future. Oasis's recommended hardening steps are below, with implementation details and proof-of-concept (PoC) available in the full disclosure.

‍

Guidelines for Teams using Cursor

Do this now:

• Enable Workspace Trust in Cursor and require the startup prompt.
• Consider setting task.allowAutomaticTasks: "off".
• Open unknown repos in a safer environment (viewer-only editor, disposable container/VM).
• Hunt & monitor:
  
  • Search for .vscode/tasks.json with "runOn": "folderOpen".
  • Watch for IDE-spawned shells and unusual outbound requests immediately after opening a project. 

‍

About Oasis Security Research

We focus on securing the infrastructure where AI agents, tools, and non-human identities operate, across developer laptops, pipelines, and cloud. Our goal is practical guidance that measurably reduces risk for modern engineering teams.