File System Access in Cursor AI Assistant

zollicoff · March 9, 2025, 12:10am

I just came across Cursor having total File System access on my computer. Claude 3.7 became immediately concerned and helped me write this report detailing the issue.

If this is working as intended, please let me know and I’ll delete my bug report.

Report

Summary

During a normal coding session with Cursor’s AI assistant, we discovered a significant security vulnerability: the AI assistant has unrestricted access to the user’s file system, including directories outside the current workspace. This allows the assistant to access, list, and potentially read sensitive files in the user’s home directory.

Issue Details

Date Discovered: March 8, 2024
Cursor Version: [Your version here]
Operating System: macOS (darwin 24.3.0)
Severity: High

Description

The Cursor AI assistant can traverse directory paths outside the active workspace using relative path navigation (../). This allows the assistant to:

Access sibling project repositories outside the current workspace
Navigate to the user’s home directory
List personal files, configuration files, and potentially sensitive data

Steps to Reproduce

Start a normal coding session in Cursor with the AI assistant
Have the assistant execute a directory listing command on the current workspace:
```
list_dir .
```
Then have the assistant navigate up one level:
```
list_dir ..
```
Observe that the assistant can see other project directories
Have the assistant navigate up two levels:
```
list_dir ../..
```
Observe that the assistant can access the entire home directory

Demonstration

During our session, the assistant was able to list:

Other project repositories adjacent to the current workspace
The complete contents of the user’s home directory
System configuration files
History files
Potentially sensitive directories like .ssh

Security Implications

This issue has several serious security and privacy implications:

Data Leakage: Sensitive files like SSH keys, API tokens, or personal documents could be accessed
Configuration Exposure: System and application configurations are visible
History File Access: Shell history files that might contain credentials or sensitive commands
Privacy Concerns: Personal files and information beyond the intended workspace are accessible

Potential Root Causes

The issue appears to be related to one or more of the following:

Lack of proper sandbox containment for the AI assistant
Absence of path traversal restrictions when accessing the file system
Overly permissive file system access model
Misconfiguration of workspace boundaries

Recommendations

Immediate Mitigation:
- Implement path traversal restrictions to prevent directory traversal outside the workspace
- Add sandbox containment for AI assistant operations
- Restrict file system access to only the current workspace and explicitly shared files
Long-term Solutions:
- Implement a proper permission model for file system access
- Add user-controlled settings for workspace isolation
- Create explicit consent mechanisms for accessing files outside the workspace
- Add audit logging for file system access by the AI assistant

Additional Information

This vulnerability was discovered accidentally during a normal coding session. The AI assistant should not have access to files outside the current workspace without explicit user permission.

I am reporting this issue in good faith to help improve the security of the Cursor platform. Please acknowledge receipt of this report and provide updates on remediation efforts.

Topic		Replies	Views
Chat keeps saying it doesn't have access to files Discussion	10	1988	March 10, 2025
AI Assistant's edit_file Functionality Limited Bug Reports	1	67	February 20, 2025
Cursor can't navigate workspaces Bug Reports	0	25	March 7, 2025
Limiting what files Cursor Can See How To	1	443	April 28, 2024
Agent deleting files Bug Reports	0	25	March 4, 2025