Hackers Exploit Rogue MCP Servers to Compromise Cursor’s Embedded Browser
A critical security vulnerability has been identified in Cursor’s integrated browser, enabling attackers to inject malicious code through compromised Model Context Protocol (MCP) servers. Unlike Visual Studio Code, Cursor lacks integrity verification for its proprietary features, making it particularly susceptible to such attacks.
Understanding the Vulnerability
The exploitation process begins when a user downloads and registers a malicious MCP server via Cursor’s configuration file. Once activated, this rogue server can inject arbitrary JavaScript directly into Cursor’s internal browser environment. The absence of checksum verification during server registration allows attackers to modify unverified code seamlessly.
Mechanism of the Attack
The injection technique employed is both straightforward and effective. By replacing `document.body.innerHTML` with attacker-controlled HTML, the malicious code can completely overwrite the existing page content, effectively bypassing user interface-level security checks. This manipulation enables attackers to present convincing fake login pages or other deceptive content without arousing suspicion.
Demonstration of the Exploit
Researchers at Knostic have demonstrated this vulnerability by creating a proof-of-concept that captures user credentials through a counterfeit login page, subsequently transmitting them to a remote server. The compromised credentials could grant attackers full access to a developer’s workstation and, by extension, the corporate network. The attack requires minimal user interaction: enabling the MCP server and restarting Cursor. Once initiated, the malicious code remains active across all browser tabs within the Integrated Development Environment (IDE), providing attackers with persistent access to the system.
Broader Implications
This vulnerability underscores a growing threat within the developer ecosystem. MCP servers necessitate extensive system permissions to operate, meaning that compromised servers can modify system components, escalate privileges, and execute unauthorized actions without the user’s knowledge.
The risk extends beyond individual developers. Organizations face significant supply chain threats, as malicious MCP servers, IDE extensions, and prompts can execute code on developer machines, which are now considered the new security perimeter. Attackers can leverage this access to infiltrate entire corporate networks.
The proliferation of AI coding tools and agents introduces expanding attack surfaces daily. Unlike traditional development tools, these platforms integrate multiple external components with minimal visibility or control mechanisms, increasing the potential for exploitation.
Recommended Mitigation Strategies
To mitigate these risks, organizations should implement stringent policies regarding MCP server adoption, verify the sources of these servers, and monitor IDE configurations closely. Developers are advised to exercise caution when downloading extensions and servers from untrusted sources.
Cursor has been notified of this vulnerability prior to its public disclosure. To prevent widespread abuse, researchers have withheld the exploit code.
