A vulnerability that researchers name CurXecute is current in virtually all variations of the AI-powered code editor Cursor, and will be exploited to execute distant code with developer privileges.
The safety challenge is now recognized as CVE-2025-54135 and will be leveraged by feeding the AI agent a malicious immediate to set off attacker-control instructions.
The Cursor built-in improvement surroundings (IDE) depends on AI brokers to assist builders code sooner and extra effectively, permitting them to attach with exterior sources and techniques utilizing the Mannequin Context Protocol (MCP).
In line with the researchers, a hacker efficiently exploiting the CurXecute vulnerability might open the door to ransomware and knowledge theft incidents.
Immediate-injection assault
CurXecute is just like the EchoLeak vulnerability in Microsoft 365 CoPilot that could possibly be used to steal delicate knowledge with none consumer interplay.
After discovering and understanding EchoLeak, the researchers at Purpose Safety, an AI cybersecurity firm, realized that even native AI agent could possibly be influenced by an exterior issue for malicious actions.
Cursor IDE has assist for the MCP open-standard framework, which extends an agent’s capabilities and context by permitting it to connect with exterior knowledge sources and instruments.
“MCP turns an area agent right into a Swiss‑military knife by letting it spin up arbitrary servers – Slack, GitHub, databases – and name their instruments from pure language” – Purpose Safety
Nonetheless, the researchers warn that this could compromise the agent as it’s uncovered to exterior, untrusted knowledge that may have an effect on its management move.
A hacker might leverage this to hijack the brokers session and privileges to behave on behalf of the consumer.
By utilizing an externally-hosted immediate injection, an attacker might rewrite the ~/.cursor/mcp.json file within the venture listing to allow distant execution of arbitrary instructions.
The researchers clarify that Cursor doesn’t require affirmation for executing new entries to the ~/.cursor/mcp.json file and that recommended edits to are dwell and set off the execution of the command even when the consumer rejects them.
In a report shared with BleepingComputer, Purpose Safety says that including to Cursor an ordinary MCP server, resembling Slack, might expose the agent to untrusted knowledge.
An attacker might submit to a public channel a malicious immediate with an injection payload for the mcp.json configuration file.
When the sufferer opens the brand new chat and instructs the agent to summarize the messages, the payload, which could possibly be a shell, lands on the disk instantly with out the consumer’s approval.
“The assault floor is any third‑social gathering MCP server that processes exterior content material: challenge trackers, buyer assist inboxes, even engines like google. A single poisoned doc can morph an AI agent into an area shell” – Purpose Safety
The researchers created a video to display how CurXecute will be leveraged in assaults:
Purpose Safety researchers say {that a} CurXecute assault might result in ransomware and knowledge theft incidents, and even AI manipulation by way of hallucination that may smash the venture, or allow slopsquatting assaults.
The researchers reported CurXecute privately to Cursor on July 7 and the subsequent day the seller merged a patch into the principle department.
On July 29, Cursor model 1.3 was launched with a number of enhancements and a repair for CurXecute. Cursor additionally printed a safety advisory for CVE-2025-54135, which obtained a medium-severity rating of 8.6.
Customers are really helpful to obtain and set up the newest model of Cursor to keep away from recognized safety dangers.
Malware concentrating on password shops surged 3X as attackers executed stealthy Good Heist eventualities, infiltrating and exploiting crucial techniques.
Uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and easy methods to defend towards them.
