A vulnerability that researchers name CurXecute is current in virtually all variations of the AI-powered code editor Cursor, and may be exploited to execute distant code with developer privileges.
The safety concern is now recognized as CVE-2025-54135 and may be leveraged by feeding the AI agent a malicious immediate to set off attacker-control instructions.
The Cursor built-in improvement setting (IDE) depends on AI brokers to assist builders code quicker and extra effectively, permitting them to attach with exterior assets and techniques utilizing the Mannequin Context Protocol (MCP).
In response to the researchers, a hacker efficiently exploiting the CurXecute vulnerability might open the door to ransomware and information theft incidents.
Immediate-injection assault
CurXecute is just like the EchoLeak vulnerability in Microsoft 365 CoPilot that may very well be used to steal delicate information with none person interplay.
After discovering and understanding EchoLeak, the researchers at Intention Safety, an AI cybersecurity firm, realized that even native AI agent may very well be influenced by an exterior issue for malicious actions.
Cursor IDE has help for the MCP open-standard framework, which extends an agent’s capabilities and context by permitting it to hook up with exterior information sources and instruments.
“MCP turns a neighborhood agent right into a Swiss‑military knife by letting it spin up arbitrary servers – Slack, GitHub, databases – and name their instruments from pure language” – Intention Safety
Nonetheless, the researchers warn that this will compromise the agent as it’s uncovered to exterior, untrusted information that may have an effect on its management move.
A hacker might leverage this to hijack the brokers session and privileges to behave on behalf of the person.
Through the use of an externally-hosted immediate injection, an attacker might rewrite the ~/.cursor/mcp.json file within the challenge listing to allow distant execution of arbitrary instructions.
The researchers clarify that Cursor doesn’t require affirmation for executing new entries to the ~/.cursor/mcp.json file and that recommended edits to are dwell and set off the execution of the command even when the person rejects them.
In a report shared with BleepingComputer, Intention Safety says that including to Cursor a typical MCP server, similar to Slack, might expose the agent to untrusted information.
An attacker might submit to a public channel a malicious immediate with an injection payload for the mcp.json configuration file.
When the sufferer opens the brand new chat and instructs the agent to summarize the messages, the payload, which may very well be a shell, lands on the disk instantly with out the person’s approval.
“The assault floor is any third‑occasion MCP server that processes exterior content material: concern trackers, buyer help inboxes, even search engines like google. A single poisoned doc can morph an AI agent into a neighborhood shell” – Intention Safety
The researchers created a video to show how CurXecute may be leveraged in assaults:
Intention Safety researchers say {that a} CurXecute assault might result in ransomware and information theft incidents, and even AI manipulation by means of hallucination that may spoil the challenge, or allow slopsquatting assaults.
The researchers reported CurXecute privately to Cursor on July 7 and the following day the seller merged a patch into the principle department.
On July 29, Cursor model 1.3 was launched with a number of enhancements and a repair for CurXecute. Cursor additionally revealed a safety advisory for CVE-2025-54135, which obtained a medium-severity rating of 8.6.
Customers are really useful to obtain and set up the most recent model of Cursor to keep away from recognized safety dangers.
Malware focusing on password shops surged 3X as attackers executed stealthy Excellent Heist situations, infiltrating and exploiting important techniques.
Uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and learn how to defend towards them.
