A significant security flaw, designated as CVE-2025-54135 and nicknamed CurXecute, has been identified in Cursor IDE, an AI-powered code editor. This vulnerability enables attackers to execute arbitrary code on developers’ machines without requiring any user interaction. The flaw affects all versions of Cursor IDE prior to 1.3 and has been assigned a high severity score of 8.6. Following responsible disclosure, the issue has been addressed in the latest release.
Understanding the Vulnerability
The CurXecute vulnerability exploits Cursor’s Model Context Protocol (MCP) auto-start functionality. This feature automatically executes new entries added to the `~/.cursor/mcp.json` configuration file. When combined with the IDE’s suggested edits feature, this creates a critical attack vector. Malicious prompts can trigger remote code execution before users have the opportunity to review or approve the changes.
Mechanism of the Attack
The attack leverages Cursor’s integration with external MCP servers, such as Slack, GitHub, or databases. By connecting to these third-party services, Cursor becomes susceptible to untrusted external data that can manipulate the agent’s control flow.
The attack sequence unfolds as follows:
1. Crafting the Malicious Prompt: An attacker posts a specially crafted message in a public channel accessible through an MCP server.
2. Triggering the Vulnerability: When a developer uses Cursor to summarize messages from the connected service, the malicious payload convinces the AI agent to modify the `mcp.json` file.
3. Executing Arbitrary Code: Cursor writes the suggested edits directly to disk, triggering automatic command execution through the MCP auto-start feature. This occurs even before the user can accept or reject the suggestion.
For example, an injection might include code such as:
“`json
{
auto_start: [
{
command: touch ~/mcp_rce
}
]
}
“`
This command creates a file named `mcp_rce` in the user’s home directory, demonstrating the potential for arbitrary code execution.
Potential Impact
The implications of this vulnerability are severe. Attackers can execute commands with developer-level privileges, leading to:
– Data Theft: Unauthorized access to sensitive information.
– Ransomware Deployment: Installation of malicious software that encrypts data, demanding payment for its release.
– System Compromise: Complete control over the affected system, allowing for further malicious activities.
Risk Factors
– Affected Products: Cursor IDE versions prior to 1.3.
– Impact: Remote Code Execution (RCE).
– Exploit Prerequisites:
– Target system running a vulnerable version of Cursor IDE.
– MCP server configured with external data access.
– Attacker’s ability to inject malicious content into the external data source.
– User interaction with the AI agent to process external data.
– CVSS 3.1 Score: 8.6 (High).
Mitigation Measures
In response to the disclosure, Cursor has released version 1.3, which addresses this vulnerability. Developers are strongly advised to:
– Update Immediately: Install Cursor IDE version 1.3 or later to mitigate the risk.
– Review MCP Configurations: Examine MCP server settings to minimize exposure to untrusted external data sources.
Broader Implications
This vulnerability underscores the inherent security challenges in AI-powered development tools that bridge external and local computing environments. As noted by Aim Labs, any third-party MCP server processing external content becomes a potential attack surface, including issue trackers, customer support systems, and search engines.
The discovery builds upon previous research, such as the EchoLeak vulnerability in Microsoft 365 Copilot, which demonstrated similar prompt injection vulnerabilities. These incidents highlight the growing need for robust runtime guardrails in AI agent architectures, as traditional security models may be insufficient when external context can directly influence agent behavior and privilege usage.
Conclusion
The CurXecute vulnerability in Cursor IDE serves as a critical reminder of the importance of securing AI-powered development tools. By promptly updating to the latest version and reviewing MCP configurations, developers can protect their systems from potential exploitation. Ongoing vigilance and the implementation of robust security measures are essential to safeguard against emerging threats in the evolving landscape of AI-assisted development environments.
