A critical vulnerability allowing attackers to inject malicious code into Cursor’s embedded browser through compromised MCP (Model Context Protocol) servers.
Unlike VS Code, Cursor lacks integrity verification on its proprietary features, making it a prime target for tampering.
The attack begins when a user downloads and registers a malicious MCP server through Cursor’s configuration file. Once enabled, the rogue server injects arbitrary JavaScript directly into Cursor’s internal browser environment.
Attackers exploit the absence of checksum verification to modify unverified code during server registration.
How the Attack Works
The injection mechanism uses a simple but effective technique: “document.body.innerHTML ” is replaced with attacker-controlled HTML, completely overwriting the page and bypassing UI-level security checks.
This allows attackers to display convincing fake login pages or malicious content without raising suspicion.
Knostic researchers demonstrated this vulnerability by creating a proof-of-concept that harvested user credentials through a fake login page and transmitted them to a remote server.
The stolen credentials could grant attackers complete access to a developer’s workstation and corporate network. The attack requires minimal steps: users must enable the MCP server and restart Cursor.
Once it runs, the malicious code stays active in every browser tab in the IDE, giving attackers ongoing access to the system.
This vulnerability highlights a growing threat to the developer ecosystem. MCP servers require broad system permissions to function, meaning compromised servers can modify system components, escalate privileges, and execute unauthorized actions without user awareness.
The threat extends beyond individual developers, according to the Knostic report. Organizations face significant supply chain risks as malicious MCP servers, IDE extensions, and prompts can execute code on developer machines, now the new security perimeter.
Attackers can expand their reach from targeted developers to entire corporate networks. The vulnerability underscores how AI coding tools and agents introduce expanding attack surfaces daily.
Unlike traditional development tools, these platforms integrate multiple external components with minimal visibility or control mechanisms.
Organizations should implement strict policies around MCP server adoption, verify server sources, and monitor IDE configurations. Knostic developers should exercise caution when downloading extensions and servers from untrusted sources.
The cursor was notified prior to publication, and the researchers withheld exploit code to prevent widespread abuse.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
