Security researchers report critical security flaws in Cursor and Windsurf IDEs

Security researchers from Ox Security are reporting a massive number of vulnerabilities affecting two popular AI-powered integrated development environments (IDEs), Cursor and Windsurf. 

Both Cursor and Windsurf are AI-powered code editors forked from Visual Studio Code that integrate large language models to assist developers in writing software more efficiently. These tools are built on outdated versions of VS Code, which in turn bundle old Electron releases. Since Electron embeds both Chromium and Google's V8 JavaScript engine, the IDEs rely on outdated versions of these components, exposing them to vulnerabilities that have already been patched in newer releases.

The IDEs are vulnerable to at least 94 known and patched Chromium flaws that remain exploitable in the latest versions of the development tools.

One vulnerability was weaponized by Ox Security researchers as a proof of concept: CVE-2025-7656, an integer overflow flaw in V8's Maglev JIT compiler that was fixed in Google Chrome on July 15, 2025. This vulnerability can be triggered by creating JavaScript functions with extremely large argument lists (approximately 40,000 arguments), causing integer overflow in the compiler's 32-bit register calculations during optimization. 

When the overflow is triggered it causes a crash and potentially enables arbitrary code execution, data theft of source code and credentials, and supply chain attacks through injection of malicious code into developer projects.

Compromising a developer's IDE can lead to very dangerous consequences beyond a single individual, as developers typically have access to codebase, test databases, cloud infrastructure, API keys, credentials, and trade secrets. A compromised IDE can inject backdoors into every project a developer touches.

The researchers successfully demonstrated exploitation through a proof-of-concept attack that begins when a victim clicks a deeplink. According to Cursor's documentation, deeplinks allow users to share prompts and commands with others. When opened, the malicious deeplink causes Cursor to execute a prompt that directs the Simple Browser to visit a remote site hosting the exploit payload. 

Because the payload is served remotely rather than embedded in the prompt, it cannot be detected by scanning the prompt itself. The exploit triggers a crash in the assembler during Maglev code generation, demonstrating the serious consequences of relying on unpatched third-party components.

Ox Security validated that the vulnerability stems from outdated Chromium versions by confirming that the exploit works on old VS Code versions with vulnerable Chromium builds, fails on current VS Code (which updates Chromium regularly), and succeeds on the latest versions of both Cursor and Windsurf. 

The researchers responsibly disclosed their findings to both Windsurf and Cursor on October 12, 2025. Windsurf has yet to respond to the disclosure. Cursor responded dismissively, stating "Thank you for the report. We consider self-DOS to be out of scope." However, the researchers emphasize that while their proof-of-concept demonstrates a crash (denial of service), the underlying memory corruption primitive enables arbitrary code execution, and dismissing this as "self-DOS" ignores the broader security implications and the 93 other unpatched CVEs in their Chromium build.

There are no mitigation measures available for end users, as this is a vendor-level problem that users cannot patch or address directly. The responsibility falls entirely on Cursor and Windsurf to update their Chromium and Electron dependencies and automate updates.