Cursor IDE MCP Vulnerabilities Enable Remote Code Execution (CurXecute & MCPoison) (2025)

Incident Summary

In August 2025, two critical vulnerabilities in the Cursor AI code editor were disclosed by independent security research teams. CVE-2025-54135, named “CurXecute” and disclosed by AIM Security on August 1, exploited Cursor’s ability to write workspace files without user approval to achieve remote code execution with a CVSS score of 8.6.^[1] CVE-2025-54136, named “MCPoison” and disclosed by Check Point Research on August 5, exploited a trust bypass in Cursor’s Model Context Protocol (MCP) server handling with a CVSS score of 7.2.^[2] Both vulnerabilities targeted flaws in how Cursor managed MCP configuration files, enabling attackers to execute arbitrary commands on developer machines.^[3] Cursor patched both vulnerabilities in version 1.3.9.^[1]

Key Facts

• CVE-2025-54135 (CurXecute): CVSS 8.6 — Cursor allowed writing workspace files without user approval; if .cursor/mcp.json did not exist, an attacker could chain indirect prompt injection to create a malicious MCP configuration that executed commands immediately^[1]
• CVE-2025-54136 (MCPoison): CVSS 7.2 — Once a user approved an MCP server in a shared GitHub repository, anyone with write access could silently replace the server configuration with a malicious one without triggering re-approval^[2]
• CurXecute was discovered by AIM Security; MCPoison was discovered by Check Point Research^[1][2]
• The CurXecute attack vector used prompt injection via Slack MCP servers, where a crafted message could modify global MCP configuration settings before the user could reject suggested edits^[1]
• The MCPoison attack exploited that MCP trust was bound by server name rather than configuration content, meaning approved servers could be silently weaponized^[2]
• Both vulnerabilities affected Cursor versions below 1.3.9^[3]
• Cursor issued a patch on July 29, 2025, requiring mandatory approval prompts for any MCP configuration change^[1]
• The vulnerabilities demonstrated that AI-powered development tools with MCP integrations create novel trust and authorization attack surfaces^[4]

Threat Patterns Involved

Primary: Adversarial Evasion — Both vulnerabilities exploited indirect prompt injection and trust mechanism bypasses to manipulate an AI coding assistant into executing unauthorized commands. CurXecute used prompt injection to hijack the AI’s context and write malicious configuration files, while MCPoison exploited a fundamental flaw in how trust was assigned to MCP servers.^[1][2]

Secondary: Tool Use and API Exploitation — The vulnerabilities targeted the Model Context Protocol, a standard for connecting AI assistants to external tools and data sources. By compromising MCP configurations, attackers could weaponize the AI agent’s tool-use capabilities to execute arbitrary commands, demonstrating how protocol-level vulnerabilities in agentic AI systems can enable full system compromise.^[3][4]

Significance

The CurXecute and MCPoison vulnerabilities demonstrate that AI-powered development tools with external tool integrations create novel security risks at the intersection of prompt injection and supply chain compromise. The MCPoison vulnerability is particularly significant because it exploits a fundamental design flaw in trust management — binding approval to a server name rather than its content — which has implications for MCP implementations across the broader AI tooling ecosystem.^[2] These incidents highlight the need for robust trust verification mechanisms in any AI system that integrates with external tools or data sources through protocols like MCP.^[4]