DuneSlide, prompt injection in Cursor could escape the sandbox and run any command

Started by EarlyBird, Today at 11:42 AM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Topic: DuneSlide, prompt injection in Cursor could escape the sandbox and run any command   Views(Read 46 times)

EarlyBird

Cato AI Labs found two flaws in Cursor, the AI code editor, that let a single ordinary looking prompt break out of the editor safety sandbox and run any command on a developer machine. No click to fall for, no approval box to ignore. They named the pair DuneSlide and both are rated 9.8 out of 10

The mechanism is prompt injection. Cursor runs the terminal commands its AI agent issues inside a sandbox by default to limit damage, and DuneSlide is about getting out of that box. The whole point of the sandbox was to contain stray instructions and this defeats it

The reach is the concerning part. Cursor says more than half the Fortune 500 use the tool. Both bugs are patched in Cursor 3.0 from April 2, and every version before 3.0 is affected, so if you are behind on updates you are exposed. Go update

This is the agentic coding risk in a nutshell. The moment you let a model run commands on your behalf, a malicious prompt hidden in a file or a repo becomes a remote code execution vector. Sandboxes help but as this shows they are not magic. Anyone doing agentic dev should treat untrusted input in their codebase as genuinely hostile