On July 29, 2025, Cursor, a widely used AI-powered code editor, released version 1.3 to patch a critical remote code execution (RCE) vulnerability tracked as CVE-2025–54135 (CVSS 8.6). Discovered by Aim Security, the flaw dubbed “CurXecute”, allowed attackers to exploit Cursor’s integration with external Model Control Protocol (MCP) servers to execute arbitrary code.
The issue stemmed from Cursor’s handling of mcp.json configurations, which auto-ran any new entries, such as a Slack MCP server without user confirmation. Attackers could inject malicious commands via Slack messages, triggering automatic execution without user interaction. The vulnerability was notable for its simplicity and impact: a single poisoned prompt could silently overwrite configuration files and run attacker-controlled payloads.
Aim Security and HiddenLayer also demonstrated how AI agents, when parsing external content (e.g., GitHub README.md files), could be manipulated via hidden prompt injections to leak API keys, private SSH credentials, or bypass denylists using encoded shell commands.
Cursor has since deprecated denylist-based protections and adopted an allowlist model. Users are strongly advised to upgrade to v1.3 immediately.
This incident highlights the growing risk of AI-integrated development tools as new attack surfaces where external context, even from “safe” sources, can be weaponized to compromise trusted systems.
Connect with us : Finstein Cyber — Cybersecurity & VAPT Services
Source: https://thehackernews.com/2025/08/cursor-ai-code-editor-fixed-flaw.html
#CursorAI #CurXecute #RemoteCodeExecution #CVE202554135 #CyberSecurity #AIDevTools #SoftwareSecurity #PromptInjection #SecureCoding #AIEditor #HiddenPromptAttack #VulnerabilityPatch #GitHubSecurity #DevSecOps #InfoSec #SecurityUpdate #CyberThreats #CursorEditor #SecurityAwareness #PatchNow
