A significant security flaw, tracked as CVE-2025-54135 and dubbed “CurXecute,” was discovered in the popular AI-powered code editor, Cursor IDE. This high-severity vulnerability (CVSS Score: 8.6) allows attackers to achieve Remote Code Execution (RCE) on a developer’s machine without requiring the user to approve or accept any malicious changes.
Details of the Vulnerability
- Flaw: The vulnerability exploits Cursor’s Model Context Protocol (MCP) auto-start feature, which automatically executes new entries added to the
~/.cursor/mcp.jsonconfiguration file. - Attack Vector: When a developer connects Cursor to external services (like Slack or GitHub) via an MCP server and then uses the AI agent to process untrusted external data (such as summarizing messages), a sophisticated prompt injection attack can occur.
- Execution: The malicious prompt tricks the AI agent into directly modifying the
mcp.jsonfile. Crucially, Cursor IDE writes these suggested edits to the disk and the MCP auto-start feature executes the embedded command immediately, achieving RCE before the user can review or reject the AI’s suggestion. - Impact: Successful exploitation grants attackers developer-level privileges, enabling potential data theft, ransomware deployment, or complete system compromise.
Mitigation
The vulnerability affects all Cursor IDE versions prior to 1.3. Developers are strongly advised to:
- Update Immediately to Cursor IDE version 1.3 or later, which contains the fix.
- Review MCP Configurations to minimize exposure to untrusted external data sources.
This incident highlights a growing security challenge for AI development tools that integrate local systems with external, untrusted content sources.
Mourad Maacha 
Leave a comment