Cybersecurity researchers have disclosed a now-patched, high-severity safety flaw in Cursor, a preferred synthetic intelligence (AI) code editor, that might end in distant code execution (RCE).
The vulnerability, tracked as CVE-2025-54135 (CVSS rating: 8.6), has been addressed in model 1.3 launched on July 29, 2025. It has been codenamed CurXecute by Purpose Labs, which beforehand disclosed EchoLeak.
“Cursor runs with developer‑degree privileges, and when paired with an MCP server that fetches untrusted exterior information, that information can redirect the agent’s management movement and exploit these privileges,” the Purpose Labs Workforce stated in a report shared with The Hacker Information.
“By feeding poisoned information to the agent through MCP, an attacker can achieve full distant code execution underneath the consumer privileges, and obtain any variety of issues, together with alternatives for ransomware, information theft, AI manipulation and hallucinations, and so on.”
In different phrases, the distant code execution can triggered by a single externally‑hosted immediate‑injection that silently rewrites the “~/.cursor/mcp.json” file and runs attacker‑managed instructions.
The vulnerability is just like EchoLeak in that the instruments, that are uncovered by Mannequin Management Protocol (MCP) servers to be used by AI fashions and facilitate interplay with exterior techniques, similar to querying databases or invoking APIs, might fetch untrusted information that may poison the agent’s anticipated habits.
Particularly, Purpose Safety discovered that the mcp.json file used to configure customized MCP servers in Cursor can set off the execution of any new entry (e.g., including a Slack MCP server) with out requiring any affirmation.
This auto-run mode is especially harmful as a result of it may possibly result in the automated execution of a malicious payload that is injected by the attacker through a Slack message. The assault sequence proceeds as follows –
- Consumer provides Slack MCP server through Cursor UI
- Attacker posts message in a public Slack channel with the command injection payload
- Sufferer opens a brand new chat and asks Cursor’s agent to make use of the newly configured Slack MCP server to summarize their messages in a immediate: “Use Slack instruments to summarize my messages”
- The agent encounters a specifically crafted message designed to inject malicious instructions to its context, for example, altering the configuration file so as to add one other MCP server containing a rogue instruction (“contact ~/
“The core reason behind the flaw is that new entries to the worldwide MCP JSON file are beginning routinely,” Purpose Safety stated. “Even when the edit is rejected, the code execution had already occurred.”
Your complete assault is noteworthy for its simplicity. But it surely additionally highlights how AI-assisted instruments can open up new assault surfaces when processing exterior content material, on this case, any third-party MCP server.
“As AI brokers preserve bridging exterior, inner, and interactive worlds, safety fashions should assume exterior context might have an effect on the agent runtime – and monitor each hop,” the corporate added.
Model 1.3 of Cursor additionally addresses one other difficulty with auto-run mode that may simply circumvent the platform’s denylist-based protections utilizing strategies like Base64-encoding, shell scripts, and enclosing shell instructions inside quotes (e.g., “e”cho bypass) to execute unsafe instructions.
Following accountable disclosure by the BackSlash Analysis Workforce, Cursor has taken the step of altogether deprecating the denylist function for auto-run in favor of an allowlist.
“Do not count on the built-in safety options offered by vibe coding platforms to be complete or foolproof,” researchers Mustafa Naamneh and Micah Gold stated. “The onus is on end-user organizations to make sure agentic techniques are geared up with correct guardrails.”
The disclosure comes as HiddenLayer additionally discovered that Cursor’s ineffective denylist strategy may be weaponized by embedding hidden malicious directions with a GitHub README.md file, permitting an attacker to steal API keys, SSH credentials, and even run blocked system instructions.
“When the sufferer considered the undertaking on GitHub, the immediate injection was not seen, and so they requested Cursor to git clone the undertaking and assist them set it up, a typical incidence for an IDE-based agentic system,” researchers Kasimir Schulz, Kenneth Yeung, and Tom Bonner famous.
“Nonetheless, after cloning the undertaking and reviewing the readme to see the directions to arrange the undertaking, the immediate injection took over the AI mannequin and compelled it to make use of the grep device to search out any keys within the consumer’s workspace earlier than exfiltrating the keys with curl.”
HiddenLayer stated it additionally discovered extra weaknesses that might be abused to leak Cursor’s system immediate by overriding the bottom URL offered for OpenAI API requests to a proxied mannequin, in addition to exfiltrate a consumer’s non-public SSH keys by leveraging two benign instruments, read_file and create_diagram, in what’s known as a device mixture assault.
This basically includes inserting a immediate injection command inside a GitHub README.md file that is parsed by Cursor when the sufferer consumer asks the code editor to summarize the file, ensuing within the execution of the command.
The hidden instruction, for its half, makes use of the read_file device to learn non-public SSH keys belonging to the consumer after which makes use of the create_diagram device to exfiltrate the keys to an attacker-controlled webhook.web site URL. All of the recognized shortcomings have been remediated by Cursor in model 1.3.
Information of assorted vulnerabilities in Cursor comes as Tracebit devised an assault focusing on Google’s Gemini CLI, an open-source command-line device fine-tuned for coding duties, that exploited a default configuration of the device to surreptitiously exfiltrate delicate information to an attacker-controlled server utilizing curl.
Like noticed within the case of Cursor, the assault requires the sufferer to (1) instruct Gemini CLI to work together with an attacker-created GitHub codebase containing a nefarious oblique immediate injection within the GEMINI.md context file and (2) add a benign command to an allowlist (e.g., grep).
“Immediate injection focusing on these components, along with vital validation and show points inside Gemini CLI might trigger undetectable arbitrary code execution,” Tracebit founder and CTO Sam Cox stated.
To mitigate the chance posed by the assault, Gemini CLI customers are suggested to improve their installations to model 0.1.14 shipped on July 25, 2025.
