What happened
Prior to Cursor 3.0, the agent terminal sandbox canonicalizes the target path to confirm it stays inside the workspace before allowing writes. A flaw in the working_directory parameter handling causes the sandbox to include writable paths outside the intended workspace. By setting working_directory to a sensitive location, the agent can write arbitrary files — such as overwriting the cursorsandbox helper — enabling non-sandboxed RCE with no further user interaction.
Why it matters
Cursor is the most widely adopted AI coding assistant in enterprise environments. Sandbox escape in agent mode means prompt injection through any external content (issue trackers, web search, repo content) can lead to full host RCE. Attackers can exfiltrate source code, credentials, SSH keys, and cloud tokens, or establish persistence on developer workstations — a developer supply-chain attack vector.
Attack vector
A malicious agent (triggered via prompt injection or malicious repo content) sets working_directory to a sensitive path such as ~/.cursor or a system directory. The sandbox grants write access to the working directory, so the agent can overwrite the cursorsandbox helper binary or other privileged files, causing subsequent commands to execute outside the sandbox with full user privileges.
Affected systems
Cursor AI code editor < 3.0
Mitigation
Upgrade to Cursor 3.0. Advisory: https://github.com/cursor/cursor/security/advisories/GHSA-3p48-7v9f-v5cw