The Cursor AI Code Editor has addressed a vulnerability that permitted attackers to execute commands through prompt injection.

Cybersecurity researchers have identified and disclosed a critical security vulnerability in Cursor, a widely used AI code editor, which could lead to remote code execution (RCE). This vulnerability, designated as CVE-2025-54135 with a CVSS score of 8.6, has been patched in version 1.3 released on July 29, 2025. Codenamed CurXecute by Aim Labs, the flaw allows attackers to exploit Cursor’s developer-level privileges when it interacts with an MCP server that retrieves untrusted external data.

The vulnerability enables an attacker to manipulate the agent’s control flow by feeding malicious data through the MCP, potentially leading to severe consequences such as ransomware deployment, data theft, and AI manipulation. The attack can be initiated by a single prompt injection that alters the “~/.cursor/mcp.json” configuration file, allowing the execution of attacker-controlled commands without user confirmation.

The attack sequence involves a user adding a Slack MCP server through the Cursor interface, followed by an attacker posting a message in a public Slack channel containing the malicious payload. When the victim interacts with the Cursor agent using the newly configured Slack MCP server, the agent may execute the injected commands, leading to unauthorized actions. This vulnerability is reminiscent of the previously disclosed EchoLeak, highlighting the risks associated with untrusted data in AI model interactions.