Ethical Hacking News
Researchers have disclosed a critical flaw in Cursor, an AI code editor that allows attackers to run commands via prompt injection, potentially leading to remote code execution under user privileges.
A high-severity security flaw (CVE-2025-54135) in Cursor's Model Control Protocol (MCP) functionality can lead to remote code execution under user privileges. The vulnerability is similar to another previously disclosed issue, EchoLeak, highlighting the need for proper guardrails. Automatic configuration of MCP servers in Cursor can trigger the execution of any new entry without confirmation, leading to auto-run mode. Attackers can exploit this vulnerability to gain full remote code execution under user privileges and achieve malicious activities such as ransomware and AI manipulation. The vulnerability has been addressed in version 1.3 released on July 29, 2025, but other issues remain.
The recent vulnerability disclosure in Cursor, a popular artificial intelligence (AI) code editor, has sent shockwaves through the cybersecurity community. According to researchers at Aim Security, a high-severity security flaw (CVE-2025-54135) in Cursor's Model Control Protocol (MCP) functionality can lead to remote code execution under user privileges.
The vulnerability is similar to another previously disclosed issue, EchoLeak, which highlights the need for end-users to ensure that their agentic systems are equipped with proper guardrails. The tools exposed by MCP servers facilitate interaction with external systems, such as querying databases or invoking APIs, but these interactions can be exploited if not properly secured.
Aim Security found that the mcp.json file used to configure custom MCP servers in Cursor can trigger the execution of any new entry without requiring any confirmation. This auto-run mode is particularly dangerous because it can lead to the automatic execution of a malicious payload injected by an attacker via a Slack message. The attack sequence proceeds as follows:
- User adds Slack MCP server via Cursor UI
- Attacker posts message in a public Slack channel with the command injection payload
- Victim opens a new chat and asks Cursor's agent to use the newly configured Slack MCP server to summarize their messages
- Agent encounters a specially crafted message designed to inject malicious commands to its context
When this happens, the attacker can gain full remote code execution under user privileges. The attacker could exploit these vulnerabilities to achieve any number of malicious activities such as ransomware, data theft, AI manipulation and hallucinations.
According to Aim Labs Team, "Cursor runs with developer-level privileges, and when paired with an MCP server that fetches untrusted external data, that data can redirect the agent's control flow and exploit those privileges."
The vulnerability has been addressed in version 1.3 released on July 29, 2025. The researchers also discovered another issue with auto-run mode that can easily circumvent the platform's denylist-based protections using methods like Base64-encoding, shell scripts, and enclosing shell commands within quotes.
Researchers at HiddenLayer found additional weaknesses that could be abused to leak Cursor's system prompt by overriding the base URL provided for OpenAI API requests to a proxied model, as well as exfiltrate a user's private SSH keys by leveraging two benign tools in what's called a tool combination attack. The identified shortcomings have been remediated by Cursor in version 1.3.
It is essential for end-users to ensure that their agentic systems are equipped with proper guardrails and take necessary precautions against such attacks. "Don't expect the built-in security solutions provided by vibe coding platforms to be comprehensive or foolproof," researchers Mustafa Naamneh and Micah Gold said. The onus is on end-user organizations to ensure agentic systems are equipped with proper guardrails.
Related Information:
https://www.ethicalhackingnews.com/articles/Critical-Flaw-in-Cursor-AI-Code-Editor-Allows-Remote-Code-Execution-via-Prompt-Injection-ehn.shtml
https://thehackernews.com/2025/08/cursor-ai-code-editor-fixed-flaw.html
https://nvd.nist.gov/vuln/detail/CVE-2025-54135
https://www.cvedetails.com/cve/CVE-2025-54135/
Published: Fri Aug 1 13:10:19 2025 by llama3.2 3B Q4_K_M
