A newly discovered flaw, dubbed CurXecute, affects nearly all versions of the AI-powered code editor Cursor and can be exploited to execute remote code with full developer privileges.
The security loophole, now tracked as CVE-2025-54135, can be triggered by feeding the AI agent a specially crafted malicious prompt, enabling attacker-controlled commands.
Cursor IDE uses AI agents to help developers work faster by integrating with external systems via the Model Context Protocol (MCP). According to researchers, successful exploitation of CurXecute could pave the way for ransomware attacks, data theft, and other malicious activity.
Prompt-Injection Attack Vector
CurXecute operates similarly to EchoLeak, a previously identified vulnerability in Microsoft 365 Copilot that allowed theft of sensitive data without user interaction. Researchers at AI cybersecurity firm Aim Security discovered that even local AI agents can be influenced by external data sources to perform harmful actions.
Cursor’s MCP support extends agent capabilities by linking it with external data and tools.
“MCP turns a local agent into a Swiss-army knife by letting it spin up arbitrary servers - Slack, GitHub, databases - and call their tools from natural language” – Aim Security
However, this flexibility introduces risk, as exposure to untrusted data can compromise the agent’s control flow. A threat actor could hijack an agent’s session and privileges, enabling them to act as the legitimate user.
Through an externally hosted prompt injection, attackers could modify the ~/.cursor/mcp.json configuration file to execute arbitrary commands remotely. Researchers noted that Cursor does not require user confirmation for changes to this file. Even rejected suggestions can still trigger the malicious code execution.
Aim Security’s report to BleepingComputer warns that adding standard MCP servers, such as Slack, to Cursor could inadvertently expose the agent to hostile content. For example, a malicious prompt posted in a public Slack channel could carry an injection payload targeting the configuration file. If the victim later asks the agent to summarize the messages, the payload—potentially a shell—would be saved to disk without approval.
“The attack surface is any third-party MCP server that processes external content: issue trackers, customer support inboxes, even search engines. A single poisoned document can morph an AI agent into a local shell” – Aim Security.
Aim Security privately disclosed CurXecute to Cursor on July 7. The vendor issued a patch the next day, merging it into the main branch. On July 29, Cursor version 1.3 was released, including multiple improvements and a fix for the flaw.
Cursor’s security advisory assigned the issue a medium severity score of 8.6. Users are strongly advised to update to the latest version to mitigate known risks.
