A vulnerability that researchers name CurXecute is current in virtually all variations of the AI-powered code editor Cursor, and will be exploited to execute distant code with developer privileges.
The safety problem is now recognized as CVE-2025-54135 and will be leveraged by feeding the AI agent a malicious immediate to set off attacker-control instructions.
The Cursor built-in improvement atmosphere (IDE) depends on AI brokers to assist builders code quicker and extra effectively, permitting them to attach with exterior sources and methods utilizing the Mannequin Context Protocol (MCP).
In accordance with the researchers, a hacker efficiently exploiting the CurXecute vulnerability may open the door to ransomware and knowledge theft incidents.
Immediate-injection assault
CurXecute is much like the EchoLeak vulnerability in Microsoft 365 CoPilot that could possibly be used to steal delicate knowledge with none consumer interplay.
After discovering and understanding EchoLeak, the researchers at Goal Safety, an AI cybersecurity firm, realized that even native AI agent could possibly be influenced by an exterior issue for malicious actions.
Cursor IDE has assist for the MCP open-standard framework, which extends an agent’s capabilities and context by permitting it to connect with exterior knowledge sources and instruments.
“MCP turns an area agent right into a Swiss‑military knife by letting it spin up arbitrary servers – Slack, GitHub, databases – and name their instruments from pure language” – Goal Safety
Nonetheless, the researchers warn that this may compromise the agent as it’s uncovered to exterior, untrusted knowledge that may have an effect on its management circulate.
A hacker may leverage this to hijack the brokers session and privileges to behave on behalf of the consumer.
Through the use of an externally-hosted immediate injection, an attacker may rewrite the ~/.cursor/mcp.json file within the undertaking listing to allow distant execution of arbitrary instructions.
The researchers clarify that Cursor doesn’t require affirmation for executing new entries to the ~/.cursor/mcp.json file and that instructed edits to are dwell and set off the execution of the command even when the consumer rejects them.
In a report shared with BleepingComputer, Goal Safety says that including to Cursor a normal MCP server, resembling Slack, may expose the agent to untrusted knowledge.
An attacker may submit to a public channel a malicious immediate with an injection payload for the mcp.json configuration file.
When the sufferer opens the brand new chat and instructs the agent to summarize the messages, the payload, which could possibly be a shell, lands on the disk instantly with out the consumer’s approval.
“The assault floor is any third‑celebration MCP server that processes exterior content material: problem trackers, buyer assist inboxes, even search engines like google and yahoo. A single poisoned doc can morph an AI agent into an area shell” – Goal Safety
Goal Safety researchers say {that a} CurXecute assault could result in ransomware and knowledge theft incidents, and even AI manipulation by means of hallucination that may wreck the undertaking, or allow slopsquatting assaults.
The researchers reported CurXecute privately to Cursor on July 7 and the following day the seller merged a patch into the principle department.
On July 29, Cursor model 1.3 was launched with a number of enhancements and a repair for CurXecute. Cursor additionally revealed a safety advisory for CVE-2025-54135, which acquired a medium-severity rating of 8.6.
Customers are beneficial to obtain and set up the newest model of Cursor to keep away from identified safety dangers.
Malware concentrating on password shops surged 3X as attackers executed stealthy Good Heist situations, infiltrating and exploiting vital methods.
Uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and find out how to defend towards them.
