{"id":5861,"date":"2025-08-04T10:03:37","date_gmt":"2025-08-04T10:03:37","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/08\/04\/ai-powered-code-editor-cursor-ide-vulnerability-enables-remote-code-without-user-interaction\/"},"modified":"2025-08-04T10:03:37","modified_gmt":"2025-08-04T10:03:37","slug":"ai-powered-code-editor-cursor-ide-vulnerability-enables-remote-code-without-user-interaction","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/08\/04\/ai-powered-code-editor-cursor-ide-vulnerability-enables-remote-code-without-user-interaction\/","title":{"rendered":"AI-Powered Code Editor Cursor\u202fIDE Vulnerability Enables Remote Code Without\u00a0User Interaction"},"content":{"rendered":"

AI-Powered Code Editor Cursor\u202fIDE Vulnerability Enables Remote Code Without\u00a0User Interaction
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A severe vulnerability in the popular AI-powered code editor Cursor IDE, dubbed \u201cCurXecute,\u201d allows attackers to execute arbitrary code on developers\u2019 machines without any user interaction.\u00a0<\/p>\n

The vulnerability, tracked as CVE-2025-54135 with a high severity score of 8.6, affects all Cursor IDE versions prior to 1.3 and has been successfully patched following responsible disclosure.<\/p>\n

Key Takeaways<\/strong>
<\/mark>1.\"CurXecute\" in Cursor IDE allows remote code execution without user interaction.
2. Malicious prompts via external services exploit MCP auto-start to execute arbitrary commands.
3. Update immediately and review MCP.<\/pre>\n
The flaw exploits Cursor\u2019s Model Context Protocol (MCP) auto-start functionality, which automatically executes new entries added to the ~\/.cursor\/mcp.json configuration file.\u00a0<\/p>\n
This mechanism, combined with the IDE\u2019s suggested edits feature, creates a dangerous attack vector where malicious prompts can trigger remote code execution before users have any opportunity to review or approve the changes.<\/p>\n
AI-Powered Code Editor Cursor\u202fIDE Vulnerability<\/strong><\/h2>\n
The vulnerability operates through a sophisticated prompt injection attack that leverages Cursor\u2019s integration with external MCP servers<\/a>.\u00a0<\/p>\n
When developers connect Cursor to third-party services like Slack, GitHub, or databases through MCP, the IDE becomes exposed to untrusted external data that can manipulate the agent\u2019s control flow.<\/p>\n
The attack sequence begins when an attacker posts a crafted message in a public channel accessible through an MCP server. When a victim queries Cursor to summarize messages using the connected service, the malicious payload convinces the AI agent to modify the mcp.json file.\u00a0<\/p>\n
A typical injection might include code such as:<\/p>\n
\n
\"\"<\/figure>\n<\/div>\n
The critical flaw lies in Cursor\u2019s behavior of writing suggested edits directly to disk, triggering automatic command execution through the MCP auto-start feature even before users can accept or reject the suggestion.\u00a0<\/p>\n
This enables attackers to execute commands like touch ~\/mcp_rce with developer-level privileges, potentially leading to data theft, ransomware deployment, or complete system compromise.<\/p>\n
\n\n\n\n\n\n\n\n
Risk Factors<\/strong><\/td>\nDetails<\/strong><\/td>\n<\/tr>\n
Affected Products<\/td>\nCursor IDE (all versions prior to 1.3)<\/td>\n<\/tr>\n
Impact<\/td>\nRemote Code Execution (RCE)<\/td>\n<\/tr>\n
Exploit Prerequisites<\/td>\n\u2013 Target system running vulnerable Cursor IDE version
\u2013 MCP server configured with external data access
\u2013 Attacker ability to inject malicious content into external data source
\u2013 User interaction with AI agent to process external data<\/td>\n<\/tr>\n
CVSS 3.1 Score<\/td>\n8.6 (High)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
Fix Available<\/strong><\/h2>\n
This vulnerability highlights a fundamental security challenge inherent in AI-powered development tools that bridge external and local computing environments.\u00a0<\/p>\n
As Aim Labs noted in their analysis, any third-party MCP server processing external content becomes a potential attack surface, including issue trackers, customer support systems, and search engines.<\/p>\n
Cursor has responded promptly to the disclosure, releasing version 1.3 with appropriate fixes.\u00a0<\/p>\n
Developers are strongly advised to update immediately and review their MCP server configurations to minimize exposure to untrusted external data sources.<\/p>\n
The discovery builds upon previous research by researchers, including their June disclosure of \u201cEchoLeak<\/a>,\u201d which demonstrated similar prompt injection vulnerabilities in Microsoft 365 Copilot.\u00a0<\/p>\n
These incidents underscore the growing need for robust runtime guardrails in AI agent architectures, as traditional security models may prove insufficient when external context can directly influence agent behavior and privilege usage.<\/p>\n
Integrate ANY.RUN TI Lookup<\/strong> with your SIEM or SOAR To Analyses Advanced Threats<\/strong> -> Try 50 Free Trial Searches<\/a> <\/strong><\/code><\/p>\n
The post AI-Powered Code Editor Cursor\u202fIDE Vulnerability Enables Remote Code Without\u00a0User Interaction<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n
 \t

\n 
<\/BR>
\n    Florence Nightingale
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n 
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"
AI-Powered Code Editor Cursor\u202fIDE Vulnerability Enables Remote Code Without\u00a0User Interaction A severe vulnerability in the popular AI-powered code editor Cursor IDE, dubbed \u201cCurXecute,\u201d allows attackers to execute arbitrary code on developers\u2019 machines without any user interaction.\u00a0 The vulnerability, tracked as CVE-2025-54135 with a high severity score of 8.6, affects all Cursor IDE versions prior to […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,416,131],"tags":[130],"class_list":["post-5861","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerabilities","category-vulnerability","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5861"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=5861"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/5861\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=5861"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=5861"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=5861"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}