Cursor & Windsurf IDEs Hit by 94+ Chromium Vulnerabilities – Supply-Chain Exposure in 2024
Executive Summary
In early 2024, security researchers identified that the latest releases of the Cursor and Windsurf integrated development environments (IDEs) were vulnerable to over 94 known and patched security vulnerabilities within the embedded Chromium browser and V8 JavaScript engine. These n-day vulnerabilities exist because the IDEs relied on outdated Chromium builds, exposing users to a range of critical issues, including remote code execution, privilege escalation, and data leakage. The supply-chain nature of the incident means development teams using these IDEs could inadvertently introduce risk across their entire workflow and environments.
This incident underscores the persistent risk posed by vulnerable software dependencies and highlights an urgent need for improved supply-chain security. With attackers increasingly targeting development tools for initial access or lateral movement, organizations must re-evaluate their patch management, vendor risk assessments, and layered network protections.
Why This Matters Now
The prevalence of old and vulnerable third-party components in developer tools enables attackers to exploit known bugs at scale, often before organizations can react. This supply-chain exposure is particularly urgent for businesses relying on modern DevOps pipelines, as threat actors are accelerating their targeting of trusted tools to bypass traditional defenses, putting sensitive code and intellectual property at risk.
Attack Path Analysis
Attackers exploited n-day Chromium vulnerabilities bundled in the supply chain of Cursor and Windsurf IDEs, gaining initial access to developer environments. Leveraging unpatched browser flaws, they escalated privileges within host or containerized cloud workloads. The adversary likely moved laterally via east-west traffic to access additional resources or workloads. Command and control was maintained over encrypted outbound connections, enabling persistent attacker footholds. Sensitive data was exfiltrated using covert outbound channels or application-to-internet traffic. Ultimately, attackers could disrupt operations, deploy ransomware, or tamper with code integrity, impacting business and supply chain confidence.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited unpatched, known Chromium vulnerabilities embedded in supply chain-distributed IDEs (Cursor, Windsurf) to gain initial code execution within developer or container workloads.
Related CVEs
CVE-2025-7656
CVSS 8.8An integer overflow in the V8 JavaScript engine's Maglev JIT compiler allows attackers to execute arbitrary code via crafted JavaScript functions.
Affected Products:
Cursor Cursor IDE – < 1.3
Windsurf Windsurf IDE – < 2.0
Exploit Status:
proof of conceptCVE-2025-4609
CVSS 9.8A critical vulnerability in Chromium allows remote attackers to execute arbitrary code via crafted web content.
Affected Products:
Cursor Cursor IDE – < 1.3
Windsurf Windsurf IDE – < 2.0
Exploit Status:
exploited in the wildCVE-2025-5419
CVSS 8.8An out-of-bounds read/write vulnerability in the V8 engine allows attackers to execute arbitrary code via crafted JavaScript.
Affected Products:
Cursor Cursor IDE – < 1.3
Windsurf Windsurf IDE – < 2.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Exploit Public-Facing Application
Exploitation of Remote Services
Exploitation for Client Execution
Command and Scripting Interpreter
Access Token Manipulation
Impair Defenses
Credentials from Password Stores
Account Discovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Ensure software vulnerabilities are addressed
Control ID: 6.2.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management
Control ID: Article 9
CISA Zero Trust Maturity Model 2.0 – Continuous Vulnerability Assessment
Control ID: Asset Management: Continuous Vulnerability Assessment
NIS2 Directive – Security of Network and Information Systems – Handling Security Risks
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
Direct supply-chain vulnerabilities in Cursor/Windsurf IDEs expose software development environments to 94+ Chromium exploits, compromising code integrity and developer workstations.
Information Technology/IT
IT organizations using vulnerable IDEs face lateral movement risks and compromised development infrastructure, requiring immediate zero trust segmentation and threat detection capabilities.
Financial Services
Critical compliance violations under PCI DSS and regulatory frameworks due to unpatched IDE vulnerabilities potentially exposing sensitive financial application development and data.
Health Care / Life Sciences
HIPAA compliance breaches possible through compromised development tools accessing protected health information, requiring enhanced egress security and anomaly detection measures.
Sources
- Cursor, Windsurf IDEs riddled with 94+ n-day Chromium vulnerabilitieshttps://www.bleepingcomputer.com/news/security/cursor-windsurf-ides-riddled-with-94-plus-n-day-chromium-vulnerabilities/Verified
- Forked and Forgotten: 94 Vulnerabilities in Cursor and Windsurf Put 1.8M Developers at Riskhttps://www.ox.security/blog/94-vulnerabilities-in-cursor-and-windsurf-put-1-8m-developers-at-risk/Verified
- The Curse of the Fork: When Patching is Not Trivialhttps://www.ox.security/blog/the-curse-of-the-fork-when-patching-is-not-trivial/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic controls, egress policy enforcement, and real-time threat detection would have contained attacker movement, limited the blast radius, and flagged suspicious activity at each phase of the kill chain.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of exploited application behaviors prevents silent initial access.
Control: Zero Trust Segmentation
Mitigation: Lateral privilege escalation attempts are constrained to tightly defined resources.
Control: East-West Traffic Security
Mitigation: Unauthorized east-west communication is blocked and alerted.
Control: Cloud Firewall (ACF)
Mitigation: Suspicious outbound connections to malicious C2 infrastructure are blocked.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration channels are promptly detected and halted.
Rapid detection of operational disruption or unauthorized code deployment.
Impact at a Glance
Affected Business Functions
- Software Development
- Quality Assurance
Estimated downtime: 5 days
Estimated loss: $500,000
Potential exposure of source code, API keys, and sensitive credentials due to compromised development environments.
Recommended Actions
Key Takeaways & Next Steps
- • Proactively patch third-party and embedded software components—especially within supply chain containers and developer tools.
- • Enforce zero trust segmentation and least privilege between all workloads, users, and namespaces to minimize blast radius.
- • Apply strict egress filtering and centralized control of outbound/internet-bound cloud traffic to prevent C2 and data exfiltration.
- • Continuously monitor for behavioral anomalies and leverage detection engines tuned for supply chain and IDE abuse scenarios.
- • Maintain centralized, multi-cloud visibility and enforce distributed policy using a cloud-native security fabric approach.
