A concerning vulnerability in Cursor’s Background Agents that allowed them to gain complete control over the underlying Amazon EC2 infrastructure.
The incident, discovered two weeks after the agents’ public release, highlights significant risks in modern SaaS applications that extend beyond traditional desktop boundaries.
The attack began when researchers noticed Docker-like processes during the Background Agent spin-up phase.
Upon closer examination, they discovered a “Show Terminal” button within the Cursor user interface, originally designed for debugging and transparency purposes.
This feature provided direct command-line access to what they quickly realized was a remote machine rather than their local environment.
The ubuntu user account on this remote system was highly privileged by design, necessary for Cursor’s agent to pull packages and install dependencies.
This inherent privilege allowed researchers to achieve straightforward escalation to root access using the sudo -i command. At this point, they had gained significant control over the infrastructure and began investigating the scope of their access.
Docker Escape Technique
Using penetration testing tools like Linpeas.sh, researchers conducted comprehensive enumeration of the compromised machine.
They discovered several critical components of Cursor’s infrastructure, including a Server-to-Server token for GitHub authentication, Node.js server and client components for agent functionality, and substantial 1TB storage capacity indicating significant resource allocation.
The breakthrough came when researchers found that the host machine shared its volumes with the Docker instance.
With root privileges, they could write to any location within these shared volumes, including the host machine’s file system.
Through network enumeration, they identified the host machine’s IP address as 172.17.0.1.
To escape the Docker container, they employed SSH key injection: generating their own SSH key pair, writing the public key to /root/.ssh/authorized_keys, and then using the Cursor UI’s folder system to transfer their private key into the Docker instance.
Security Implications
The successful attack resulted in complete SSH access to the host machine, effectively allowing researchers to escape the Docker container and gain control over the underlying EC2 instance.
The research team immediately disclosed their findings to Cursor’s security team through responsible disclosure practices.
However, Cursor’s security team confirmed that relevant safeguards were in place to prevent misuse, with machine permissions, AWS roles, and VPC configurations being well-defined and heavily restricted.
The GitHub token was properly scoped to user repositories, and EC2 instances operate on a single-tenant per user basis.
This incident underscores critical vulnerabilities in modern SaaS applications, particularly third-party risk amplification where desktop tools can provide gateways to cloud environments.
The ability to escalate from privileged Docker container access to root control over EC2 instances demonstrates how “by design” privileges can be exploited.
The incident reinforces urgent concerns about SaaS security, as attackers increasingly exploit the interconnected nature of cloud services to breach organizational defenses beyond traditional application boundaries.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
