Cursor IDE vulnerability overview

A critical vulnerability in the AI-powered code editor Cursor IDE, known as “CurXecute,” enables attackers to execute arbitrary code on developers’ machines without any user interaction. Tracked as CVE-2025-54135, this high-severity flaw (score: 8.6) affects all versions of Cursor IDE prior to 1.3 and has been patched following responsible disclosure.

Cursor IDE vulnerability overviewCursor IDE vulnerability overview

The vulnerability exploits Cursor’s Model Context Protocol (MCP) auto-start functionality, which automatically executes new entries in the ~/.cursor/mcp.json configuration file. This feature, combined with the IDE’s suggested edits, creates a dangerous attack vector where malicious prompts can trigger remote code execution before users can review or approve changes.

Cursor IDE vulnerability overviewCursor IDE vulnerability overview

The attack operates through a sophisticated prompt injection that takes advantage of Cursor’s integration with external MCP servers. When developers connect Cursor to third-party services like Slack or GitHub, the IDE becomes vulnerable to untrusted external data that can manipulate its control flow.