A critical security vulnerability in the popular AI-powered code editor Cursor IDE has been disclosed that allows attackers to execute remote code without any user interaction.
The flaw, dubbed “CurXecute” and tracked as CVE-2025-54135, received a severity rating of 8.6 and has been patched in version 1.3 released on July 29, 2025.
The vulnerability stems from Cursor’s implementation of the Model Context Protocol (MCP), which allows the AI agent to connect with external services like Slack, GitHub, and databases.
This powerful feature turns the local agent into a “Swiss-army knife” but also creates a dangerous attack surface when untrusted data from these external sources can manipulate the agent’s control flow.
Discovered by researchers at Aim Labs, the same team that previously found the EchoLeak vulnerability in Microsoft 365 Copilot, CurXecute demonstrates how prompt injection attacks can escalate from data exfiltration to full remote code execution.
The attack works by exploiting two key weaknesses: Cursor automatically executes any new entry added to the ~/.cursor/mcp.json configuration file without requiring user confirmation, and suggested edits to this file are written to disk immediately, triggering command execution even if the user rejects the suggestion.
Cursor IDE Vulnerability
The attack sequence is remarkably simple yet devastating. An attacker can post a malicious message in a public Slack channel containing a crafted prompt injection payload.
When a developer using Cursor asks the AI agent to summarize their Slack messages, the agent retrieves the poisoned content and is manipulated into modifying the MCP configuration file.
This modification adds a new server entry with malicious commands that execute immediately upon being written to disk.
In the proof-of-concept demonstration, researchers showed how a single command like touch ~/mcp_rce could be executed without any user approval.
The attack surface extends beyond Slack to any third-party MCP server that processes external content, including issue trackers, customer support systems, and search engines.
As the researchers noted, “a single poisoned document can morph an AI agent into a local shell”.
Broader Implications for AI Agent Security
The CurXecute vulnerability highlights a fundamental security challenge with AI agents that bridge external and internal systems.
Cursor has addressed the vulnerability in version 1.3, which also includes fixes for additional weaknesses that allowed bypassing the platform’s denylist protections through techniques like Base64 encoding and shell command wrapping.
Because these agents operate with developer-level privileges and their behavior is steered by model output, they are inherently susceptible to manipulation through external data sources.
This creates opportunities for various malicious activities including ransomware deployment, data theft, and AI manipulation attacks.
The company has deprecated the denylist approach in favor of a more secure allowlist system.
However, researchers warn that this vulnerability pattern is intrinsic to how AI agents operate and will likely resurface across multiple platforms as these systems become more prevalent in software development workflows.
Users are strongly advised to upgrade to Cursor version 1.3 immediately to protect against this and related vulnerabilities.
The incident underscores the need for robust runtime guardrails and comprehensive security measures as AI-powered development tools become increasingly integrated into critical workflows.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
