Hi! Did you know about Cursor, and Windsurf, two standard coding apps, both containing around 94 old security vulnerabilities? If you are using any of these applications, you probably want to know this.
There are actual vulnerabilities and exploits that threat actors would use to exploit the flaws. Researchers, at Ox Security even demonstrate, that by using one of these vulnerabilities, they could crash Cursor or run malicious code.
• Bad or malicious IDE extensions
• Harmful code in tutorials or documentation
• Phishing attacks or infected code repos
Essentially if the IDE isn't updated, these are the ways the hackers can get in.
What is the Problem?
Cursor and Windsurf are based on an older version of Visual Studio Code (VS Code), and use Electron. Electron ships along with its JavaScript Engine (V8) a version of the Chromium Browser, which both contain vulnerabilities that do NOT exist in any current version anymore.There are actual vulnerabilities and exploits that threat actors would use to exploit the flaws. Researchers, at Ox Security even demonstrate, that by using one of these vulnerabilities, they could crash Cursor or run malicious code.
Possible Methods of Hacker Attacks
Here are ways hackers could exploit these issues:• Bad or malicious IDE extensions
• Harmful code in tutorials or documentation
• Phishing attacks or infected code repos
Essentially if the IDE isn't updated, these are the ways the hackers can get in.
The Vendor Response
But the really scary part? Cursor said crashing bugs were, "not our problem," and Windsurf didn't even respond. That's super scary because these were serious issues. The latest version of Visual Studio Code does not have these issues.Recommended Actions
If you are either a user of Cursor or Windsurf, here are some actions you should take:- Upgrade to the newer IDEs (i.e. the newest version of VS Code)
- Avoid using untrustworthy extensions and untrusted repos
- Monitor security news associated with your tools consistently
