Cursor AI safeguards easily bypassed in YOLO mode: Backslash • The Register

Cursor’s AI coding agent will run automatically, in YOLO mode, if you let it. According to Backslash Security, you might want to think twice about doing so.

If the use of the term YOLO – you only live once – isn’t enough of a warning about the company’s approach to computer security, Tel Aviv, Israel-based Backslash says one of Cursor’s supposed safeguards to prevent its agent from deleting data is “woefully inadequate, if not outright worthless.”

YOLO mode, or auto-run, allows the Cursor agent to carry out multi-step coding tasks without human approval at every step. It comes with several settings that are supposed to limit the scope of possible damage. These include: an allowlist that makes specific commands available to the agent, a denylist that specifies commands the agent should not invoke, and a checkbox to prevent files from being deleted.

As entrepreneur Jason Lemkin’s recent experience with Replit’s AI coding tool demonstrates, LLM-based code help might just do something drastic like delete your production database if used without sufficient care.

Cursor offers its denylist in an attempt to guard against such problems. By adding the “rm” command to the denylist, for example, the Cursor agent should be unable to use that command to delete files. Thus, some Cursor users employ a lengthy denylist.

But the denylist implementation, according to Backslash, can be easily bypassed.

“We found no fewer than four ways for a compromised agent to bypass the Cursor denylist and execute unauthorized commands,” said application security analysts Mustafa Naamneh and Micah Gold, in a blog post.

The denylist fails to block obfuscated commands, the company says. So the agent would dutifully execute the command echo $(curl google.com) if encoded echo JChjdXJsIGdvb2dsZS5jb20pCgoK | base64 -d | zsh in Base64, even if “curl” were on the denylist.

It will also run denylisted commands if enclosed in a subshell, as in bash -c "curl google.com", or if written into a shell script, as might be done with echo curl google.com > curl.sh && chmod +x curl.sh && ./curl.sh.

And finally, the denylist can be ducked in bash environments by using double quotes or multiple sets of them, such that there’s no way to explicitly block all the potential attack variations.

“Cursor’s denylist cannot be relied upon,” said Naamneh and Gold. “While it may prevent an agent from naively running certain Linux commands, it cannot prevent a compromised agent from running any command it would like.”

And the security firm says that the agent’s ability to execute arbitrary commands means Cursor’s other defenses against auto-run/YOLO mode mishaps, like file deletion prevention, are worthless.

How might such commands reach the Cursor agent? According to Naamneh and Gold, developers may import rules.mdc files – reusable agent instructions – “from random GitHub repositories without auditing them.”

Yossi Pik, co-founder and CTO of Backslash Security, told The Register that there are other ways the Cursor agent could execute a risky command. For example, the agent could process injected text from a shared codebase, such as a README or code comment. Or the agent could fetch and execute content from an external site containing malicious instructions.

“The agent only needs to process a file, rule, or response that contains injected commands — whether local, shared, or fetched remotely,” Pik explained. “A web page is not required for the attack to succeed.”

You only live once, but regret is forever.

Cursor did not immediately respond to a request for comment. According to Backslash, which reported the issue, Cursor intends to deprecate the denylist feature in the version 1.3 release, which wasn’t available at the time this story was filed. ®