Security researchers at Reco have uncovered a significant vulnerability in Cursor’s Background Agents that allowed them to gain complete control over an Amazon EC2 instance, highlighting emerging risks in modern SaaS applications with cloud infrastructure components.
Discovery and Initial Access
The vulnerability was discovered when Reco’s security team, led by Director of Security Research Dvir Sasson, began investigating Cursor’s newly released Background Agents feature, designed for complex background task execution.
The researchers noticed suspicious Docker-like operations during the agent’s initialization process, which prompted a deeper investigation into the application’s architecture.
The breakthrough came when researchers identified a “Show Terminal” button within Cursor’s user interface, originally intended for debugging purposes.
This feature provided direct command-line access to what they discovered was a remote AWS machine rather than their local development environment.
Through this terminal access, the team could execute commands on the underlying cloud infrastructure, establishing their initial foothold in the system.
Privilege Escalation and System Compromise
The researchers quickly determined that Cursor’s Ubuntu user possessed elevated privileges by design, necessary for the agent to install packages and dependencies.
This architectural decision enabled straightforward privilege escalation to root access using standard system commands.
Once root access was achieved, the team conducted a comprehensive enumeration using penetration testing tools to map the complete infrastructure setup.
Their investigation revealed several critical components of Cursor’s infrastructure, including a Server-to-Server GitHub token used for repository authentication, Node.js server components for agent functionality, and substantial 1TB storage capacity provisioned for agent operations.
The researchers also discovered that the instance ran within a well-configured AWS environment utilizing custom Docker image orchestration.
Docker Escape and Host Machine Access
The most significant aspect of the vulnerability involved escaping from the Docker container to gain control of the host EC2 instance.
The researchers discovered that the host machine shared volumes with the Docker instance, and their root privileges allowed write access to these shared storage locations.
Through careful enumeration, they identified the host machine’s IP address and leveraged SSH key injection techniques to establish direct access to the underlying infrastructure.
Industry Response and Implications
Reco immediately contacted Cursor’s security team to report the complete attack chain.
Cursor confirmed that relevant safeguards were in place to prevent misuse and that the machine’s permissions, AWS roles, and VPC configurations were appropriately restricted to prevent lateral movement between different user instances.
Broader Security Considerations
This incident underscores the evolving nature of SaaS security risks, particularly as desktop applications increasingly rely on cloud infrastructure for enhanced functionality.
The vulnerability demonstrates how seemingly simple development tools can create unexpected attack vectors into cloud environments, emphasizing the need for comprehensive SaaS security strategies that account for third-party applications with underlying infrastructure components.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
%20(1).webp?resize=1600,900&ssl=1&description=The vulnerability was discovered when Reco's security team, led by Director of Security Research Dvir Sasson,){kind=link}