Security Vulnerability in Cursor AI Code Editor: What You Need to Know
Introduction to the Vulnerability
Cybersecurity experts have recently uncovered a critical security flaw in Cursor, a well-known artificial intelligence (AI) code editor. This vulnerability, registered as CVE-2025-54135 and carrying a CVSS score of 8.6, poses significant risks, including the potential for remote code execution. Cursor’s team has acted quickly, addressing this issue in version 1.3, which was released on July 29, 2025. The flaw has been dubbed "CurXecute" by Aim Labs, a group with a record of identifying critical security issues like EchoLeak.
The Mechanics of the Vulnerability
The issue arises from Cursor running with developer-level privileges, especially when paired with a Model Control Protocol (MCP) server that interacts with untrusted external data. According to Aim Labs, the misuse of data can redirect the control flow of the agent, exploiting these elevated privileges. By injecting harmful data through MCP, attackers can achieve remote code execution, opening the door to a range of malicious actions, including ransomware attacks and data theft.
How the Exploit Works
A particularly alarming aspect of this vulnerability is its method of operation. When an attacker supplies external content, specifically a crafted command through an MCP server, the Cursor agent can be tricked into executing dangerous commands. A sequence of events could occur as follows:
- A user adds a Slack MCP server using Cursor’s interface.
- An attacker posts a message in a public Slack channel containing an injection payload.
- The victim then instructs Cursor to use the newly added Slack MCP server for summarizing messages, unwittingly triggering the malicious commands embedded in the Slack message.
This scenario showcases how simple interactions can lead to severe security breaches, emphasizing the risks associated with AI-assisted tools.
The Technical Focus: mcp.json and Auto-Run Mode
A specific concentration of the flaw lies in the mcp.json file, which configures custom MCP servers within Cursor. It allows triggering new entries without any form of user confirmation. This auto-run mode is particularly sinister; with it, malicious payloads can execute automatically without alerting the user, even if the command is ultimately rejected.
Aim Security elaborated that once the configuration has been loaded, the code execution occurs before any confirmation can be made. This ease of exploitation points to a significant oversight in the security design of Cursor.
Intervention by Cursor
In response to responsible disclosures by the BackSlash Research Team, Cursor has decided to phase out the denylist feature for auto-run capabilities. The new approach will utilize an allowlist method to enhance security.
Additional Vulnerabilities Discovered
Cursor is grappling with additional security weaknesses that can be weaponized. For example, research by HiddenLayer indicates the flawed denylist could enable attackers to embed covert malicious instructions within files like README.md on GitHub. This exposes the risk of stealing sensitive credentials, such as API keys and SSH access, through innocuous-looking code repositories.
Implications of the Findings
When a user clones a project from GitHub and requests assistance from Cursor, they may unknowingly unleash prompt injections not evident in the project files. These prompt injections can manipulate the AI model to execute unauthorized commands, including searching for and exfiltrating sensitive information.
HiddenLayer also identified how attackers could leverage benign tools like read_file and create_diagram to conduct tool combination attacks, thereby extracting private SSH keys indiscriminately.
Broader Context: Similar Vulnerabilities in AI Tools
The disclosure regarding Cursor comes amid rising concerns over vulnerabilities in various AI-driven platforms. For instance, Tracebit discovered a similar risk within Google’s Gemini CLI, where default configurations were exploited to transfer sensitive data to malicious servers unnoticed. Just as with Cursor, mitigating such risks necessitates user vigilance and consistent updates.
Recommendations for Users
To protect against these vulnerabilities, it is crucial for users of Cursor and similar tools to regularly update their software to the latest versions, like Cursor version 1.3. Additionally, users should remain aware of the potential shortcomings in built-in security solutions and take proactive steps to strengthen their operational environment.
In conclusion, while the advancements in AI-assisted coding tools provide remarkable benefits, they also introduce new and evolving security challenges. Staying informed and vigilant is essential for safeguarding sensitive data in this rapidly changing technological landscape.
