A severe vulnerability in the popular AI-powered code editor Cursor IDE, dubbed “CurXecute,” allows attackers to execute arbitrary code on developers’ machines without any user interaction.
The vulnerability, tracked as CVE-2025-54135 with a high severity score of 8.6, affects all Cursor IDE versions prior to 1.3 and has been successfully patched following responsible disclosure.
Key Takeaways
1."CurXecute" in Cursor IDE allows remote code execution without user interaction.
2. Malicious prompts via external services exploit MCP auto-start to execute arbitrary commands.
3. Update immediately and review MCP.
The flaw exploits Cursor’s Model Context Protocol (MCP) auto-start functionality, which automatically executes new entries added to the ~/.cursor/mcp.json configuration file.
This mechanism, combined with the IDE’s suggested edits feature, creates a dangerous attack vector where malicious prompts can trigger remote code execution before users have any opportunity to review or approve the changes.
AI-Powered Code Editor Cursor IDE Vulnerability
The vulnerability operates through a sophisticated prompt injection attack that leverages Cursor’s integration with external MCP servers.
When developers connect Cursor to third-party services like Slack, GitHub, or databases through MCP, the IDE becomes exposed to untrusted external data that can manipulate the agent’s control flow.
The attack sequence begins when an attacker posts a crafted message in a public channel accessible through an MCP server. When a victim queries Cursor to summarize messages using the connected service, the malicious payload convinces the AI agent to modify the mcp.json file.
A typical injection might include code such as:
The critical flaw lies in Cursor’s behavior of writing suggested edits directly to disk, triggering automatic command execution through the MCP auto-start feature even before users can accept or reject the suggestion.
This enables attackers to execute commands like touch ~/mcp_rce with developer-level privileges, potentially leading to data theft, ransomware deployment, or complete system compromise.
| Risk Factors | Details |
| Affected Products | Cursor IDE (all versions prior to 1.3) |
| Impact | Remote Code Execution (RCE) |
| Exploit Prerequisites | – Target system running vulnerable Cursor IDE version – MCP server configured with external data access – Attacker ability to inject malicious content into external data source – User interaction with AI agent to process external data |
| CVSS 3.1 Score | 8.6 (High) |
Fix Available
This vulnerability highlights a fundamental security challenge inherent in AI-powered development tools that bridge external and local computing environments.
As Aim Labs noted in their analysis, any third-party MCP server processing external content becomes a potential attack surface, including issue trackers, customer support systems, and search engines.
Cursor has responded promptly to the disclosure, releasing version 1.3 with appropriate fixes.
Developers are strongly advised to update immediately and review their MCP server configurations to minimize exposure to untrusted external data sources.
The discovery builds upon previous research by researchers, including their June disclosure of “EchoLeak,” which demonstrated similar prompt injection vulnerabilities in Microsoft 365 Copilot.
These incidents underscore the growing need for robust runtime guardrails in AI agent architectures, as traditional security models may prove insufficient when external context can directly influence agent behavior and privilege usage.
Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches
Source link
