Hackers Exploit Rogue MCP Servers to Hijack Cursor’s Embedded Browser
In a recent cybersecurity development, attackers have identified a critical vulnerability within Cursor’s integrated browser, leveraging compromised Model Context Protocol (MCP) servers to inject malicious code. This exploitation underscores the pressing need for enhanced security measures in developer tools.
Understanding the Vulnerability
Cursor, a popular integrated development environment (IDE), incorporates an embedded browser to streamline the development process. Unlike other IDEs such as Visual Studio Code, Cursor lacks integrity verification for its proprietary features, rendering it susceptible to unauthorized modifications.
The attack vector initiates when a developer downloads and registers a malicious MCP server via Cursor’s configuration file. Once activated, this rogue server can inject arbitrary JavaScript directly into Cursor’s internal browser environment. The absence of checksum verification during server registration allows attackers to modify unverified code seamlessly.
Mechanics of the Attack
The injection process employs a straightforward yet potent technique: replacing the `document.body.innerHTML` with attacker-controlled HTML. This method effectively overwrites the existing page content, circumventing user interface-level security checks. Consequently, attackers can present deceptive login pages or other malicious content without arousing suspicion.
Security researchers at Knostic demonstrated this vulnerability by crafting a proof-of-concept that harvested user credentials through a counterfeit login page, subsequently transmitting the data to a remote server. The compromised credentials could grant attackers full access to a developer’s workstation and, by extension, the broader corporate network.
The attack requires minimal user interaction: enabling the MCP server and restarting Cursor. Once initiated, the malicious code remains active across all browser tabs within the IDE, providing attackers with persistent access to the system.
Broader Implications
This vulnerability highlights a growing threat within the developer ecosystem. MCP servers necessitate extensive system permissions to operate, meaning that compromised servers can alter system components, escalate privileges, and execute unauthorized actions without user awareness.
The risk extends beyond individual developers. Organizations face significant supply chain threats, as malicious MCP servers, IDE extensions, and prompts can execute code on developer machines, which now serve as the new security perimeter. Attackers can leverage this access to infiltrate entire corporate networks.
The incident underscores how AI coding tools and agents introduce expanding attack surfaces daily. Unlike traditional development tools, these platforms integrate multiple external components with minimal visibility or control mechanisms, amplifying potential vulnerabilities.
Recommendations for Mitigation
To safeguard against such threats, organizations should implement stringent policies regarding MCP server adoption, verify server sources meticulously, and monitor IDE configurations regularly. Developers are advised to exercise caution when downloading extensions and servers from untrusted sources.
Cursor was notified of this vulnerability prior to the publication of this report. The researchers have withheld exploit code to prevent widespread abuse.
