October 2025 brought concerning news for developers using AI-powered code editors Windsurf and Cursor. According to cybersecurity researchers at Ox Security, both tools are running outdated Electron and Chromium builds, exposing over 1.8 million users to more than 94 known and previously patched security flaws.
Outdated Electron Roots the Problem
Windsurf and Cursor are AI-integrated forks of Visual Studio Code, designed to help developers write and debug faster. However, both rely on older versions of Electron, which bundles specific Chromium and V8 JavaScript engine releases inside the app.
Since Electron fixes Chromium vulnerabilities only in new builds, any vendor using an outdated Electron version inherits all previous n‑day vulnerabilities. Cursor’s last Chromium update—to Chromium 132.0.6834.210 (Electron 34.5.8)—came in March 2025. Since then, at least 94 CVEs have been disclosed, including remote code execution and sandbox escape bugs.
Vulnerability Spotlight: CVE‑2025‑7656
Ox Security researchers successfully exploited CVE‑2025‑7656, an integer overflow flaw in Google’s V8 engine fixed by Chrome in July 2025. Using a proof‑of‑concept, they demonstrated how a malicious deep link could trigger denial‑of‑service and potentially arbitrary code execution inside the IDE.
Attackers could exploit these weaknesses through:
- Infected Markdown or README previews
- Malicious VS Code extensions
- Booby‑trapped repositories shared on Git platforms
In real-world settings, this could lead to developer workstation compromise, data theft, or source‑code manipulation.
Vendor Responses Raise Concerns
- Cursor’s official reply labeled the vulnerability “out of scope,” claiming it only caused a self‑inflicted crash. Security experts criticized this dismissal, stating it ignores deeper memory‑corruption risks and enables more serious attacks once weaponized.
- Windsurf, meanwhile, has not yet published any official mitigation or security advisory, and its changelog as of October 14 lists only minor bug fixes—no Chromium or Electron security updates.
Why This Matters for Developers
Electron-based IDEs like Cursor and Windsurf run local servers with access to file systems, APIs, and developer credentials. This means even one unpatched browser vulnerability can lead to full compromise of the environment.
Since developers often browse documentation, run scripts, and open untrusted repositories inside these tools, unpatched Chromium and V8 bugs translate directly into workstation exposure.
Security Recommendations
Until new builds are released:
- Avoid opening untrusted Markdown or HTML previews within Cursor or Windsurf.
- Disable external links and embedded browser rendering in project settings.
- Run these IDEs in sandboxed environments—for example, inside containers or virtual machines.
- Migrate temporarily to Visual Studio Code v1.99+, which is built on Chromium 118+ and includes current security patches.
- Monitor the CISA KEV catalog and vendor advisories for updates referencing Chromium or Electron vulnerabilities.
The Takeaway
The Ox Security disclosure highlights a long-standing challenge for modern software ecosystems: forked applications lagging behind upstream patch cycles. For Windsurf and Cursor, falling even a few months behind means inheriting dozens of high-severity Chromium flaws.
With developers’ tools themselves becoming prime attack targets, keeping IDE runtimes current is no longer optional—it’s essential for secure coding in an AI-driven world.
Nice information.