A vulnerability in the AI-powered Cursor IDE allows for the execution of remote code without requiring any interaction from the user.

A severe vulnerability in the popular AI-powered code editor Cursor IDE, known as “CurXecute,” has been identified, allowing attackers to execute arbitrary code on developers’ machines without any user interaction. This vulnerability, tracked as CVE-2025-54135, has a high severity score of 8.6 and affects all versions of Cursor IDE prior to 1.3. The flaw exploits the Model Context Protocol (MCP) auto-start functionality, which automatically executes new entries added to the ~/.cursor/mcp.json configuration file. This mechanism, combined with the IDE’s suggested edits feature, creates a dangerous attack vector where malicious prompts can trigger remote code execution before users have the opportunity to review or approve the changes. Developers are urged to update immediately and review their MCP settings to mitigate risks.

The vulnerability operates through a sophisticated prompt injection attack that leverages Cursor’s integration with external MCP servers. When developers connect Cursor to third-party services such as Slack, GitHub, or databases via MCP, the IDE becomes exposed to untrusted external data that can manipulate the agent’s control flow. The attack sequence begins when an attacker posts a crafted message in a public channel accessible through an MCP server. When a victim queries Cursor to summarise messages using the connected service, the malicious payload convinces the AI agent to modify the mcp.json file. This critical flaw allows attackers to execute commands with developer-level privileges, potentially leading to data theft, ransomware deployment, or complete system compromise.