Cursor IDE Vulnerability in MCP Validation Enables MCPoison Command Execution Attack

A critical vulnerability in Cursor, the rapidly growing AI-powered code editor, that enables persistent remote code execution through manipulation of the Model Context Protocol (MCP) validation system.

The vulnerability, tracked as CVE-2025-54136 and dubbed “MCPoison,” exploits a trust bypass mechanism that allows attackers to execute arbitrary system commands without user awareness.

The MCPoison vulnerability stems from a fundamental flaw in Cursor’s trust validation model for MCP configurations.

Cursor, an AI-assisted integrated development environment built on Visual Studio Code, uses MCP – an open standard developed by Anthropic – to enable AI systems to connect with external tools and data sources.

The vulnerability allows attackers to exploit Cursor’s one-time approval model for MCP configurations. When a user first encounters an MCP configuration file stored in the .cursor/rules/mcp.json directory, they are prompted to approve its execution.

However, researchers discovered that once an MCP is approved, Cursor trusts the configuration name permanently without validating whether the underlying command or arguments have been modified.

This creates a dangerous attack vector where an attacker can commit a benign-looking MCP configuration with harmless commands like echo, wait for victim approval, then silently replace the command with malicious payloads such as reverse shells or arbitrary system commands.

The modified commands execute automatically every time the victim opens the project in Cursor, creating persistent access without any additional user prompts or warnings.

Cursor IDE Vulnerability

Check Point researchers demonstrated the vulnerability’s severity through proof-of-concept attacks that show how easily the trust bypass can be exploited in collaborative development environments.

The attack sequence involves several steps: first, an attacker commits an innocuous MCP configuration to a shared repository, such as a simple command that prints a message.

When team members pull the code and open the project in Cursor, they see an approval prompt for the seemingly harmless MCP and accept it.

After gaining this initial approval, the attacker can modify the MCP configuration to include malicious commands. Check Point researchers extended their demonstration by deploying a reverse shell payload that establishes ongoing access to victim machines.

Each time the victim opens Cursor, the malicious MCP is re-evaluated and the reverse shell triggers again, making the payload persistent and requiring no user interaction beyond the initial approval.

The vulnerability poses significant risks in team development environments where code repositories are shared and synchronized.

Attackers with write access to shared repositories can achieve ongoing remote access, execute arbitrary local commands silently, escalate privileges within the user context, and persist indefinitely as the malicious MCP re-executes on every project launch.

This is particularly dangerous on developer machines that often contain cloud credentials, SSH keys, and access to sensitive source code.

Mitigations

Following responsible disclosure by Check Point Research on July 16, 2025, Cursor released version 1.3 on July 29, 2025, which addresses the vulnerability.

While the release notes did not explicitly mention the security fix, independent testing confirms that the issue has been effectively resolved.

The updated version now requires mandatory approval prompts for any modifications to MCP configurations, including changes as minor as adding a space.

The vulnerability disclosure represents the first in a planned series of security findings from Check Point Research focusing on AI platforms designed for developers.

As AI-assisted coding tools and LLM-integrated environments continue to shape modern software workflows, security researchers are identifying overlooked risks in these emerging ecosystems.

The MCPoison vulnerability highlights critical weaknesses in trust models behind AI-assisted development environments, raising concerns for teams integrating LLMs and automation into their workflows.

To protect against this vulnerability, security experts strongly recommend updating to the latest version of Cursor immediately.

Organizations using AI-powered development tools should treat MCP configuration files as potential attack surfaces, review and audit automation scripts carefully, avoid implicit trust in AI-driven automations, and limit write permissions in collaborative environments to control who can modify trusted configuration files.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.