A extreme vulnerability within the well-liked AI-powered code editor Cursor IDE, dubbed “CurXecute,” permits attackers to execute arbitrary code on builders’ machines with none person interplay.
The vulnerability, tracked as CVE-2025-54135 with a excessive severity rating of 8.6, impacts all Cursor IDE variations previous to 1.3 and has been efficiently patched following accountable disclosure.
Key Takeaways1.”CurXecute” in Cursor IDE permits distant code execution with out person interplay.2. Malicious prompts through exterior companies exploit MCP auto-start to execute arbitrary instructions.3. Replace instantly and assessment MCP.
The flaw exploits Cursor’s Mannequin Context Protocol (MCP) auto-start performance, which robotically executes new entries added to the ~/.cursor/mcp.json configuration file.
This mechanism, mixed with the IDE’s recommended edits function, creates a harmful assault vector the place malicious prompts can set off distant code execution earlier than customers have any alternative to assessment or approve the modifications.
AI-Powered Code Editor Cursor IDE Vulnerability
The vulnerability operates by means of a classy immediate injection assault that leverages Cursor’s integration with exterior MCP servers.
When builders join Cursor to third-party companies like Slack, GitHub, or databases by means of MCP, the IDE turns into uncovered to untrusted exterior information that may manipulate the agent’s management move.
The assault sequence begins when an attacker posts a crafted message in a public channel accessible by means of an MCP server. When a sufferer queries Cursor to summarize messages utilizing the related service, the malicious payload convinces the AI agent to change the mcp.json file.
A typical injection would possibly embrace code comparable to:
The essential flaw lies in Cursor’s habits of writing recommended edits on to disk, triggering computerized command execution by means of the MCP auto-start function even earlier than customers can settle for or reject the suggestion.
This allows attackers to execute instructions like contact ~/mcp_rce with developer-level privileges, probably resulting in information theft, ransomware deployment, or full system compromise.
Danger FactorsDetailsAffected ProductsCursor IDE (all variations previous to 1.3)ImpactRemote Code Execution (RCE)Exploit Stipulations– Goal system operating susceptible Cursor IDE model– MCP server configured with exterior information entry– Attacker potential to inject malicious content material into exterior information supply– Consumer interplay with AI agent to course of exterior dataCVSS 3.1 Score8.6 (Excessive)
Repair Out there
This vulnerability highlights a basic safety problem inherent in AI-powered growth instruments that bridge exterior and native computing environments.
As Purpose Labs famous of their evaluation, any third-party MCP server processing exterior content material turns into a possible assault floor, together with difficulty trackers, buyer help programs, and engines like google.
Cursor has responded promptly to the disclosure, releasing model 1.3 with applicable fixes.
Builders are strongly suggested to replace instantly and assessment their MCP server configurations to attenuate publicity to untrusted exterior information sources.
The invention builds upon earlier analysis by researchers, together with their June disclosure of “EchoLeak,” which demonstrated comparable immediate injection vulnerabilities in Microsoft 365 Copilot.
These incidents underscore the rising want for sturdy runtime guardrails in AI agent architectures, as conventional safety fashions might show inadequate when exterior context can immediately affect agent habits and privilege utilization.
Combine ANY.RUN TI Lookup along with your SIEM or SOAR To Analyses Superior Threats -> Strive 50 Free Trial Searches
