A important vulnerability permitting attackers to inject malicious code into Cursor’s embedded browser by means of compromised MCP (Mannequin Context Protocol) servers.
In contrast to VS Code, Cursor lacks integrity verification on its proprietary options, making it a first-rate goal for tampering.
The assault begins when a person downloads and registers a malicious MCP server by means of Cursor’s configuration file. As soon as enabled, the rogue server injects arbitrary JavaScript immediately into Cursor’s inside browser setting.
Attackers exploit the absence of checksum verification to switch unverified code throughout server registration.
How the Assault Works
The injection mechanism makes use of a easy however efficient method: “doc.physique.innerHTML ” is changed with attacker-controlled HTML, fully overwriting the web page and bypassing UI-level safety checks.
This enables attackers to show convincing faux login pages or malicious content material with out elevating suspicion.
Knostic researchers demonstrated this vulnerability by making a proof-of-concept that harvested person credentials by means of a faux login web page and transmitted them to a distant server.
The stolen credentials may grant attackers full entry to a developer’s workstation and company community. The assault requires minimal steps: customers should allow the MCP server and restart Cursor.
As soon as it runs, the malicious code stays energetic in each browser tab within the IDE, giving attackers ongoing entry to the system.
This vulnerability highlights a rising risk to the developer ecosystem. MCP servers require broad system permissions to perform, which means compromised servers can modify system elements, escalate privileges, and execute unauthorized actions with out person consciousness.
The risk extends past particular person builders, in response to the Knostic report. Organizations face important provide chain dangers as malicious MCP servers, IDE extensions, and prompts can execute code on developer machines, now the brand new safety perimeter.
Attackers can develop their attain from focused builders to whole company networks. The vulnerability underscores how AI coding instruments and brokers introduce increasing assault surfaces day by day.
In contrast to conventional growth instruments, these platforms combine a number of exterior elements with minimal visibility or management mechanisms.
Organizations ought to implement strict insurance policies round MCP server adoption, confirm server sources, and monitor IDE configurations. Knostic builders ought to train warning when downloading extensions and servers from untrusted sources.
The cursor was notified previous to publication, and the researchers withheld exploit code to forestall widespread abuse.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
