Full Report
A vulnerability that researchers call CurXecute is present in almost all versions of the AI-powered code editor Cursor, and can be exploited to execute remote code with developer privileges. [...]
Analysis Summary
# Vulnerability: Prompt Injection in Cursor IDE for Arbitrary Command Execution (CurXecute)
## CVE Details
- CVE ID: CVE-2025-54135
- CVSS Score: 8.6 (High)
- CWE: Inadequate Input Validation (Assumed, based on Prompt Injection)
## Affected Systems
- Products: Cursor IDE
- Versions: Prior to v1.3
- Configurations: Any system where the AI agent processes external, untrusted content via integrated Message Content Providers (MCP) servers (e.g., Slack, issue trackers, support inboxes).
## Vulnerability Description
The Cursor IDE is vulnerable to a prompt injection attack, dubbed 'CurXecute', which can lead to the remote execution of arbitrary system commands. The vulnerability stems from how Cursor handles suggestions to modify the `~/.cursor/mcp.json` configuration file. Cursor executes new entries in this file immediately upon suggestion, even if the user explicitly rejects the suggested edit. An attacker can craft a malicious prompt via a connected third-party MCP server (e.g., a public Slack channel) containing a payload targeting this configuration file. If a victim interacts with the AI agent (e.g., asks it to summarize messages containing the payload), the malicious command is immediately written to the disk and executed without user confirmation, potentially leading to shell execution on the host machine.
## Exploitation
- Status: PoC available (Reported privately by Aim Security)
- Complexity: Low to Medium (Requires integration with a vulnerable MCP source)
- Attack Vector: Network (via compromised external service feeding data to the IDE agent)
## Impact
- Confidentiality: High (Potential data theft due to remote command execution)
- Integrity: High (Arbitrary code execution can lead to system modification or project corruption via AI hallucination)
- Availability: High (Potential for system disruption or ransomware deployment)
## Remediation
### Patches
- Cursor version 1.3, released on July 29th, includes a fix for the CurXecute vulnerability.
### Workarounds
- Users should avoid processing untrusted external content via the AI agent until updated.
- Limit the integrated MCP servers to trusted internal sources only, restricting exposure to public or untrusted channels.
## Detection
- **Indicators of Compromise:** Unexpected shell processes initiated around the time the user was interacting with the AI agent in Cursor. Suspicious file creation or modification in user configuration directories, particularly related to `~/.cursor/mcp.json`.
- **Detection Methods and Tools:** Monitor process execution tracing for unusual parent-child relationships involving the Cursor process. Review network logs related to connected MCP servers for signs of injection attempts into configuration formats.
## References
- Vendor advisory: hxxps://github.com/cursor/cursor/security/advisories/GHSA-4cxx-hrm3-49rm
- Researcher report detail (Aim Security): hxxps://www.aim.security/lp/aim-labs-curxecute-blogpost