The vulnerability, tracked as CVE-2025-54135 with a severity rating of 8.6, affects all versions before 1.3 and exploits the IDE’s Model Context Protocol (MCP) auto-start functionality.
The vulnerability stems from Cursor’s automatic execution of new entries added to the ~/.cursor/mcp.json configuration file without requiring user confirmation.
When the AI agent suggests edits to this critical file, the changes are immediately written to disk and executed, even if users haven’t approved the modifications.
The attack vector leverages MCP servers that process external, untrusted data sources such as Slack channels, GitHub repositories, or databases.
Attackers can craft malicious prompts in these external systems that persuade the AI agent to modify the MCP configuration. A proof-of-concept demonstrates the exploit:
json"slack_summary": {
"command": "touch",
"args": ["~/mcp_rce"]
}
This payload, when processed through a Slack MCP server, triggers immediate command execution upon file modification.
The attack requires minimal user interaction – simply asking the AI to “summarize my messages” using Slack tools can trigger the malicious code execution.
The CurXecute vulnerability represents a concerning pattern in AI agent security, following Aim Labs’ previous discovery of EchoLeak in Microsoft 365 Copilot.
Both vulnerabilities demonstrate how untrusted external content can hijack AI control flow and abuse system privileges.
Since Cursor operates with developer-level permissions, successful exploitation enables attackers to perform ransomware deployment, data theft, and AI manipulation.
The attack surface extends beyond Slack to any third-party MCP server processing external content, including issue trackers, customer support systems, and search engines.
This broad exposure makes the vulnerability particularly dangerous for development environments where Cursor enjoys elevated system access.
Cursor acknowledged the vulnerability and released a patch in version 1.3 following Aim Labs’ responsible disclosure on July 7, 2025.
However, the underlying security model challenge persists across AI agent platforms, highlighting the critical need for robust runtime guardrails and continuous monitoring of agent execution paths in development environments where external context can influence AI behavior.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates
The post Cursor IDE Vulnerability Allows Remote Code Execution Without User Interaction appeared first on Cyber Security News.
One of key the reasons developer IO Interactive is an inspired choice for adapting Ian…
The Exim development team has released version 4.99.2 to address four newly discovered security vulnerabilities…
For a long time, Mortal Kombat’s 1995 live-action movie set the bar as far as…
For a long time, Mortal Kombat’s 1995 live-action movie set the bar as far as…
This website uses cookies.