Critical Flaw in Cursor AI: Prompt Injection Allows Remote Code Execution
A critical vulnerability has been discovered in the Cursor source code editor, an AI-powered tool designed to assist programmers. The flaw, identified as CVE-2025-54135 and dubbed CurXecute, affects nearly all versions of the IDE and allows remote execution of arbitrary commands with user-level privileges—merely by issuing a crafted request to the embedded agent.
Cursor supports the Model Context Protocol (MCP), which enables its built-in AI assistant to connect to external data sources—such as Slack, GitHub, or databases—and execute commands based on natural language prompts. According to Aim Security, this capability to interact with third-party systems renders the agent particularly vulnerable, as it begins processing untrusted information that can alter its intended behavior.
The vulnerability stems from a technique known as prompt injection, whereby specially crafted text can manipulate the AI into performing unintended actions. Similar mechanisms have been exploited previously, including in Microsoft 365 Copilot, where a comparable vulnerability allowed unauthorized extraction of confidential data. The issue is further exacerbated by the AI-generated code itself, which often harbors subtle vulnerabilities overlooked by developers.
The MCP configuration in Cursor resides in the file ~/.cursor/mcp.json
, located within the project directory. Researchers found that any modifications to this file take effect immediately—even if the user rejects the AI’s proposed changes. This behavior enables an attacker who embeds a malicious instruction within an external data source to alter the MCP configuration and trigger arbitrary code execution.
One potential attack scenario involves an adversary posting a malicious message in a public Slack channel connected to the project. When a user opens the chat and asks the AI to summarize the conversation, the agent processes the input and silently saves a harmful configuration to disk—potentially executing a shell command or script in the background.
Researchers stress that all external MCP servers handling input from untrusted origins are at risk—ranging from issue trackers to customer support systems and search engines. A single malicious entry can effectively transform the local agent into a remote control vector. Given that IDE extensions are often riddled with vulnerabilities, the implications are even more dire.
Potential consequences include ransomware deployment, data exfiltration, logical corruption of project outputs through deceptive responses, and dependency poisoning attacks such as slopsquatting.
The issue was reported to the Cursor development team on July 7, 2025, and a fix was promptly integrated into the main branch the very next day. The final patch was released on July 29 as part of Cursor version 1.3. The vulnerability received a CVSS score of 8.6 and has been classified as a high-severity issue.
Users are strongly urged to upgrade to the latest version without delay to eliminate the risk of remote code execution via external MCP sources.