A vulnerability known as CurXecute affects nearly all versions of the AI-powered code editor Cursor, allowing attackers to execute remote code with developer privileges.
This security flaw, now tracked as CVE-2025-54135, can be exploited by feeding the AI agent a harmful prompt that triggers commands controlled by an attacker.
Cursor is an integrated development environment (IDE) that uses AI agents to support faster and more efficient coding. It interacts with external systems and resources through the Model Context Protocol (MCP). Researchers warn that if exploited, CurXecute could lead to ransomware attacks and data breaches.
The nature of the attack is a prompt-injection, similar to the EchoLeak vulnerability found in Microsoft 365 CoPilot, which could extract sensitive information without user interaction. After analyzing EchoLeak, researchers at Aim Security, a company focused on AI cybersecurity, discovered that even a local AI agent could be influenced by external data for malicious purposes.
Cursor supports the MCP open-standard framework, which expands an agent’s context and capabilities by connecting it to external tools and data sources. However, this also leaves the agent vulnerable, as untrusted external data could influence its behavior.
Attackers could use this flaw to take control of the agent’s session and permissions, allowing them to act as the user. By injecting a malicious prompt hosted externally, a hacker could rewrite the ~/.cursor/mcp.json file in a project’s directory, enabling remote command execution.
Researchers note that Cursor does not request user confirmation before executing updates to the ~/.cursor/mcp.json file. Even if a user rejects suggested edits, the commands may still be executed. In a report to BleepingComputer, Aim Security explained that adding a standard MCP server like Slack to Cursor could further expose the agent to untrusted data.
For example, an attacker could post a harmful prompt in a public Slack channel, targeting the mcp.json configuration. If a victim opens that chat and asks the agent to summarize the messages, the injected payload could be written to disk instantly, possibly as a shell command, without needing any user approval.
A video was created by the researchers to show how CurXecute could be used in real-world attacks. They warned that successful exploitation might lead to ransomware, theft of sensitive data, or even AI model manipulation that disrupts the project and enables software supply chain attacks like slopsquatting.
The vulnerability was reported privately to Cursor on July 7. A patch was merged the following day. On July 29, Cursor released version 1.3 with several updates, including a fix for CurXecute. The company also issued a security advisory for CVE-2025-54135, which received a severity rating of 8.6.
Users are strongly advised to update to the latest version of Cursor to stay protected from this and other known security threats.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
