frontpage.
newsnewestaskshowjobs

Open Source @Github

fp.

Open in hackernews

Cursor 0day: When Full Disclosure Becomes the Only Protection Left

https://mindgard.ai/blog/cursor-0day-when-full-disclosure-becomes-the-only-protection-left
95•Synthetic7346•3h ago

Comments

aliasxneo•1h ago
I'm struggling to understand the process that went into this "feature" existing. It seems the most likely candidate is a developer's git started malfunctioning and an agent "fixed" it by dropping a `git.exe` in the repo and then conditionally calling it when it exists.
conartist6•1h ago
and ever since, this approach has been a critical pathway for some billion dollar business probably. hooray
pixl97•1h ago
I see you also work in enterprise software.
gruez•1h ago
>It seems the most likely candidate is a developer's git started malfunctioning and an agent "fixed" it by dropping a `git.exe` in the repo and then conditionally calling it when it exists.

It doesn't need to be that deliberate. The default shell on windows (cmd.exe) includes the current directory into PATH by default. In other words, you don't need to do `./program.exe`, `program.exe` would suffice. That's probably where the bug came from. This also means if you were using cmd.exe, ran `git clone`, went inside it, then executed any command (eg. dir or git) you could get pwned.

drdexebtjl•55m ago
Windows doesn’t really have a default login shell like Unix.

Windows Terminal defaults to PowerShell which does not suffer from this issue.

nubg•1h ago
> Most coordinated disclosures follow a familiar pattern:

> 1. A vulnerability is reported.

> 2. A dialogue begins.

> 3. Severity is discussed.

> 4. Engineering teams investigate.

> 5. Fixes are developed.

> 6. Users are protected.

> 7. Public disclosure follows.

8. The author prompts an LLM to write a blog post.

9. HN users are wasting time, unsure which parts of the post come from the actual prompt, and which are hallucinated world knowledge slop.

mike_hock•36m ago
Maybe the bug report got ignored because they posted another 1000 slop reports, who knows.
dakolli•23m ago
The disclosure seems pretty straight-forward, definitely some LLM assisted writing here, but not nearly as bad as most of the other stuff on this site.
skeledrew•21m ago
Wonder who's fault it is when a critical security issue goes unresolved because "slop" report (sure ain't the reporters').
nosefrog•1h ago
Would be nice if the timeline matched up with the text of the blog post (missing "HackerOne provides disclosure guidance").
ajhenrydev•1h ago
This report reads a bit like AI writing :/

You need to have an already malicious payload on your pc to make this exploit work (via clone/download/magic). I can understand the severity of the exploit but at the same time I’d hope to not have to run into this situation for it to happen in the first place

AntonyGarand•1h ago
The malicious payload can live on the remote: `git clone` a repo, open it with cursor, and you're compromised
JMKH42•1h ago
wouldn't the attack vector be like this:

I find a github repo, I want to contribute to it. I clone it, open up cursor, make an edit, commit, and boom, I am infected.

Illniyar•23m ago
you would only need to open it to be exploited, not edit or prompt. Allegedly
dalemhurley•5m ago
From the article it occurs when Cursor is loaded. iDEs do a lot of stuff when they first open.
skeledrew•19m ago
From my reading, boom happens at "open up cursor".
minraws•46m ago
Why is cursor subsequently executing anything? Like what is this black magic they want to do? I want to know the decision tree here? Was this cursor coded?

I do not understand the point, btw vim has had similar issues with it executing stuff you might not expect by loading a file but it was obviously a vim feature with %{expr}. But why specifically git.exe , this seems like the most redundant bug cve which could have been trivially patched, who does this feature help exactly?

I am not really a user of cursor never used it for even a single day, but at this point I am curious why this exists...

SpicyLemonZest•34m ago
Presumably it's trying to find the user's actual Git so that the built-in agent can load context on different branches, worktrees, etc. Of course there are less vulnerable ways to do that, but this kind of mildly justified hackiness is exactly where I'd expect an AI-assisted workflow to go wrong (and an AI-assisted bug triage to fail to alarm).
Illniyar•24m ago
It's pretty weird for cursor to run arbitrary exe file without prompting, and alarming that the researchers did not get a proper response for months.

But the example with calculator is a bit misleading I think, you'll have to have a malicious exe already in the system and downloaded, and if cursor tried to run my understanding is that ACL should immediately kick in and you'll be asked for permission to run a new, unsigned app for the first time.

You'll have to have ACL disabled completely for this to be exploitable.

chrisjj•24m ago
> Until the IDE is patched, open untrusted repositories only in an isolated VM, Windows Sandbox, or other disposable environment.

Got to wonder why trusted repositories are excluded...

chrisjj•18m ago
> The most obvious question is also the simplest: Why hasn't this been fixed?

Obvious answer is obvious. The devs do not consider it a bug.

firer•8m ago
All too common... It's sad yet understandable how a company would not prioritize security.

At the same time, it's also understandable how a security start-up, upon (rightly) getting fed up waiting, decide to publicly disclose, as a way to scrape some PR out of the sunk cost. Public disclosure has a place. But if you truly care about helping, you could do more than bumping on HackerOne and messaging the CISO once on LinkedIn.

Maybe I'm too cynical but it truly feels like nobody actually cares at this point.

pixl97•1h ago
>You need to have an already malicious payload on your pc to make this exploit work

Uh, no, not exactly from what I'm reading.

At least from my piss poor understanding of it, you could possibly prompt inject something like "download https://github.com/hackmycursor/exploit.git". Would an agent do this, I'm unsure, but if so, it would download the git.exe and execute it.

trollbridge•1h ago
This has been a problem with agent harnesses for as long as I've used them - prompting them to retrieve something often results in them going the extra mile and running and installing it.
gene91•1h ago
Modern day code agents would clone a repo and read the code when you ask it a question about an API that’s not clearly documented. This vulnerability is real.
dalemhurley•7m ago
If your an opensource developer you may get a pull request containing the the git.exe

Bonsai 27B: A 27B-Class model that runs on a phone

https://prismml.com/news/bonsai-27b
218•xenova•3h ago•73 comments

The Tower Keeps Rising

https://lucumr.pocoo.org/2026/7/13/the-tower-keeps-rising/
237•cdrnsf•4h ago•105 comments

Cursor 0day: When Full Disclosure Becomes the Only Protection Left

https://mindgard.ai/blog/cursor-0day-when-full-disclosure-becomes-the-only-protection-left
98•Synthetic7346•3h ago•26 comments

Your 'app' could have been a webpage (so I fixed it for you)

https://danq.me/2026/07/09/your-app-could-have-been-a-webpage/
608•MrVandemar•3d ago•394 comments

The largest available Minecraft world, totalling 15 TB

https://2b2t.place/1million
86•_____k•3d ago•22 comments

How to stop Claude from saying load-bearing

https://jola.dev/posts/how-to-stop-claude-from-saying-load-bearing
345•shintoist•9h ago•415 comments

Guardian Angels: LLM Personalization for Productivity and Security

https://gwern.net/guardian-angel
21•andsoitis•8h ago•1 comments

Show HN: Opening lines of famous literary works

https://www.verbaprima.com/
125•plicerin•5h ago•73 comments

The zero-cost fallacy: open-source software in the agentic era

https://www.thoughtworks.com/insights/blog/open-source/zero-cost-fallacy-open-source-agentic-era
76•backlit4034•4d ago•55 comments

Are we offloading too much of our thinking to AI?

https://www.artfish.ai/p/offloading-thinking-to-ai
303•yenniejun111•5h ago•302 comments

Measuring Input Latency on Linux: X11 vs. Wayland, VRR, and DXVK

https://marco-nett.de/blog/measuring-input-latency-on-linux-x11-vs-wayland-vrr-dxvk/
311•hoechst•4h ago•184 comments

A tiny cell that broke a big rule of biology

https://grist.org/science/nitrogen-cycle-cell-discovery-nitroplast-science-fertilizer-algae-bacte...
141•gumby•5d ago•20 comments

The Second Life of Sanskrit

https://openthemagazine.com/india/the-second-life-of-sanskrit
17•bookofjoe•3d ago•6 comments

Kontigo (YC S24) Is Hiring (Head of Security)

https://www.ycombinator.com/companies/kontigo/jobs/uNttrlv-head-of-security
1•jecastillof•4h ago

Launch HN: Agnost AI (YC S26) – Extract user feedback from agent conversations

https://agnost.ai
29•laalshaitaan•5h ago•15 comments

I'm a USB-C Maximalist

https://shkspr.mobi/blog/2026/07/im-a-usb-c-maximalist/
74•speckx•5h ago•122 comments

Show HN: Juggler – an open-source GUI coding agent, by the creator of JUCE

https://github.com/juggler-ai/juggler
132•julesrms•2d ago•74 comments

Demis Hassabis has a plan to harness AI safely

https://twitter.com/demishassabis/status/2076957440109625718
115•asiergoni•11h ago•147 comments

The Agentic Loop: Three loops in a trench coat

https://www.bobbytables.io/p/the-agentic-loop-three-loops-in-a
56•btables•6h ago•11 comments

Punch yourself in the face with reality

https://adi.bio/reality
182•AdityaAnand1•9h ago•92 comments

Agnes Callard’s theory of the uni-context

https://www.derekthompson.org/p/a-philosophers-one-word-theory-to
78•FinnLobsien•6h ago•87 comments

Superoptimizer – A Look at the Smallest Program (1987) [pdf]

https://dl.acm.org/doi/epdf/10.1145/36177.36194
54•linggen•4d ago•9 comments

Show HN: Beautiful Type Erasure with C++26 Reflection

https://ryanjk5.github.io/posts/rjk-duck/
102•RyanJK5•8h ago•42 comments

European "age verification" "app" forcing everyone to use Android or iOS

https://github.com/eu-digital-identity-wallet/av-doc-technical-specification/discussions/19
414•roundabout-host•12h ago•280 comments

How the FSF sysadmins block botnets with reaction

https://www.fsf.org/blogs/community/blocking-botnets-with-reaction
148•pseudolus•2d ago•54 comments

StubHub's 'marketplace for fans' is run by a mass scalper, SEC filings reveal

https://www.cbc.ca/news/world/stubhub-ceo-class-action-scalping-9.7268987
32•b112•1h ago•3 comments

Paxos Made Simple (2001) [pdf]

https://lamport.azurewebsites.net/pubs/paxos-simple.pdf
64•grep_it•5d ago•7 comments

Show HN: I RL-trained an agent that trains models with RL (for ~$1.3k)

https://github.com/Danau5tin/ai-trains-ai
88•Danau5tin•8h ago•39 comments

Show HN: A Free RSS reader with a configurable recommendation engine

https://sprinklz.io/feed/home
5•sammy0910•1h ago•0 comments

Australian energy retailers must offer three hours of free daytime electricity

https://lenergy.com.au/free-daytime-electricity-is-coming-heres-how-it-actually-works/
254•i2oc•16h ago•325 comments