Cybersecurity researchers have revealed the current high-patch, high-level security flaws of Cursor, a popular artificial intelligence (AI) code editor, which could lead to remote code execution.
The vulnerability tracked as CVE-2025-54135 (CVSS score: 8.6) is addressed in version 1.3, released on July 29, 2025. It is called Curxecute by AIM Labs, which previously disclosed echo leaks.
“When a cursor runs with developer-level privileges and pairs with an MCP server that retrieves untrusted external data, that data can redirect the agent’s control flow and take advantage of those privileges.”
“By supplying addiction data to agents via MCP, attackers can obtain full remote code interpretation under the user’s privileges, achieving everything, including ransomware, data theft, AI manipulation, hallucination and more.”
The vulnerability is similar to echo leaks in that tools exposed by Model Control Protocol (MCP) servers used by AI models and exposed by Model Control Protocol (MCP) servers can retrieve untrusted data that could poison the agent’s expected behavior to be poisoned to the agent’s expected behavior.
Specifically, AIM Security has discovered that the MCP.JSON file used to configure custom MCP servers in Cursor can trigger the execution of new entries (e.g., adding Slack MCP servers) without requiring verification.
This autorun mode is particularly dangerous as it can lead to autorun of malicious payloads injected by attackers via slack messages. The attack sequence proceeds as follows:
The user adds the Slack MCP Server via the CURSOR UI Attacker Posts message. Use the victim of the command injection payload to post a message to the public rack channel.
“The central cause of the defect is that new entries in the global MCP JSON file are automatically started,” AIM Security said. “Even if the edit was rejected, the code execution had already happened.”
The entire attack is notable for its simplicity. However, it emphasizes how AI assist tools can open up new attack surfaces when dealing with external content, in this case third-party MCP servers.
“AI agents continue to bridge the external, internal and interactive worlds, so the security model must assume that external contexts can affect the agent runtime.
Version 1.3 of the cursor also addresses another issue with autorun mode that allows you to easily avoid denilist-based protection of the platform using methods of enclosing shell commands in Base64-Encoding, Shell Scripts, and cotes (such as “e” cho bypass).
Following responsible disclosure by the Backslash Research team, Cursor took the step to completely condemn Auto-Run’s denigrilla functionality.
“Don’t expect the built-in security solutions offered by the Vibe Coding platform to be comprehensive or indefinite,” said researchers Mustafa Naamne and Mika Gold. “The end-user organization is responsible for ensuring that the agent system is equipped with the appropriate guardrails.”
Disclosure arises as HiddenLayer has discovered that Cursor’s inefficient Dennilist approach can be weaponized by embedding malicious instructions hidden in the GitHub ReadMe.md file, allowing attackers to run API keys, SSH credentials, and even blocked system commands.
“When the victim saw the project on Github, no rapid injections were visible, and they asked Cursor to clone the project and help Cursor with the general occurrence of IDE-based agent systems,” noted researchers Kasimir Schulz, Kenneth Yeung, and Tom Bonner.
“However, after cloning the project and reviewing README to see the steps to set up the project, the rapid injection took over the AI model and forced the user to find the key in the user’s workspace before removing the key with curls using the GREP tool.”
HiddenLayer also discovered an additional weakness that allows you to leak system prompts for your cursor by overriding OpenAI API requests to the proxy model, and discovered what is called a tool combination attack by removing the user’s private SSH key by leveraging two benign tools, Read_File and Create_Diagram.
This essentially involves inserting a quick injection command into the github readme.md file that is parsed by the cursor when the victim user asks the code editor to summarize the file, and then executing the command.
The hidden instruction, in that part, reads the private SSH key belonging to the user using the read_file tool and excludes the key in the attacker-controlled webhook.site url using the create_diagram tool. All defects identified were fixed by cursors in version 1.3.
News of various vulnerabilities in cursors arises as Tracebit devised an attack targeting Google’s Gemini CLI, an open source command line tool that has been tweaked to code tasks.
As observed in the case of cursors, the attack requires the victim to (1) tell the Gemini CLI to interact with the Github codebase created by the attacker that contains indirect rapid injection that is distrustful in the Gemini.md context file, and (2) to instruct the Gemini CLI to add benign commands to Alloalist (EG, Grep).
“The rapid injection targeting these elements and critical validation and display issues within the Gemini CLI can lead to undetectable arbitrary code execution,” said Sam Cox, founder and CTO of Tracebit.
To mitigate the risk posed by attacks, Gemini CLI users are advised to upgrade their installation to version 0.1.14, which was shipped on July 25, 2025.
Source link
