The latest releases of Cursor and Windsurf integrated development environments are vulnerable to more than 94 known and patched security issues in the Chromium browser and the V8 JavaScript engine.
An estimated 1.8 million developers, the userbase for the two IDEs, are exposed to the risks.
Ox Security researchers explain that both development environments are built on old software that includes outdated versions of the open-source Chromium browser and Google's V8 engine.
They say that Cursor and Windsurf rely on old versions of VS Code that include old releases of the Electron framework for building cross-platform apps using web technologies (HTML, CSS, JavaScript).
"Since Electron embeds Chromium and V8, this means the IDEs rely on outdated Chromium and V8 engines, exposing them to vulnerabilities that have already been patched in newer versions," the researchers say in a report shared with BleepingComputer.
The researchers say that Cursor and Windsurf are vulnerable to at least 94 vulnerabilities present in the Chromium builds they use.
Despite the security issue being disclosed responsibly since October 12, the risks are still present as Cursor considered the report "out of scope" and Windsurf did not respond.
Inheriting n-days from older Electron apps
Source: Ox Security
Chrome risks on the IDE
... continue reading