A vulnerability within the AI code editor Cursor allowed distant attackers to use an oblique immediate injection concern to change delicate MCP recordsdata and execute arbitrary code.
Tracked as CVE-2025-54135 (CVSS rating of 8.6), the flaw existed as a result of Cursor didn’t require person approval when making a delicate MCP file.
The safety defect allowed an attacker to jot down a dotfile, such because the .cursor/mcp.json file, via an oblique immediate injection, after which set off distant code execution (RCE) with out the person’s approval.
“If chained with a separate immediate injection vulnerability, this might enable the writing of delicate MCP recordsdata on the host by the agent. This will then be used to immediately execute code by including it as a brand new MCP server,” Cursor’s advisory reads.
In response to Goal Labs, which found the bug and referred to as it CurXecute, the problem is that instructed mcp.json edits instantly land on disk and Cursor executes them, earlier than the person accepts or rejects them.
Thus, an attacker can add a normal MCP server that exposes the agent to untrusted knowledge, then provide a immediate that instructs the agent to enhance mcp.json, leading to Cursor launching the MCP server within the modified file, which ends up in RCE.
“This occurs earlier than the person has any probability to approve or reject the suggestion – offering the attacker with an arbitrary command execution,” Goal Labs underlines.
Any third‑social gathering MCP server that processes exterior content material is prone to the assault, together with buyer help instruments, concern trackers, and search engines like google and yahoo, Goal Labs says.Commercial. Scroll to proceed studying.
Addressed in Cursor model 1.3, this was not the one code execution flaw resolved within the AI agent not too long ago. One other one, tracked as CVE-2025-54136 (CVSS rating of seven.2), might have allowed attackers to swap innocent MCP configuration recordsdata with malicious instructions, with out triggering a warning.
“If an attacker has write permissions on a person’s lively branches of a supply repository that comprises current MCP servers the person has beforehand authorised, or an attacker has arbitrary file-write domestically, the attacker can obtain arbitrary code execution,” Cursor notes.
One other oblique immediate injection assault in opposition to Cursor was flagged by BackSlash and HiddenLayer. It was associated to Cursor’s Auto-Run mode, the place instructions can be routinely executed, with out requesting permissions, and was addressed in Cursor model 1.3.
Customers might outline an inventory of instructions that the AI agent needed to request person permissions to run, however this safety might be bypassed by together with the immediate injection within the remark block inside a git repository’s Readme.
When the sufferer clones the repository, Cursor reads the directions and follows them, which permits the attacker to exfiltrate delicate info from the system, chain reputable instruments to reap and exfiltrate recordsdata, or carry out different malicious actions, with out warning the sufferer, HiddenLayer says.
“We discovered no fewer than 4 methods for a compromised agent to bypass the Cursor denylist and execute unauthorized instructions,” BackSlash notes.
Associated: Flaw in Vibe Coding Platform Base44 Uncovered Non-public Enterprise Purposes
Associated: The Wild West of Agentic AI – An Assault Floor CISOs Can’t Afford to Ignore
Associated: Google Says AI Agent Thwarted Exploitation of Important Vulnerability
Associated: Malicious NPM Packages Goal Cursor AI’s macOS Customers