A critical code execution vulnerability, tagged as CVE-2025-54136 (also dubbed “MCPoison”), was found in the Cursor AI-powered code editor. This vulnerability is particularly dangerous for developers and teams who use Cursor’s “Vibe Coding” and agent-driven automation workflows, as it enables stealthy, persistent remote code execution (RCE) through the trust model underpinning Cursor’s Model Context Protocol (MCP) configuration system.
Detailed Notes on the Vulnerability
1. Mechanism of Exploitation
- Role of MCP and Approval Flow:
- Cursor projects can define behavior and automation using
.cursor/rules/mcp.jsonfiles (“MCP config”). - When a user first opens a project with an MCP file, Cursor prompts for explicit approval. Once approved, that config is marked as trusted for all subsequent sessions.
- The Core Flaw:
- After initial approval, any subsequent changes to an already-approved MCP config file are automatically trusted and executed in the user’s environment without further prompt.
- This creates an avenue for silent privilege escalation: an attacker can wait until the config is approved, then introduce a malicious change.
2. Attack Scenarios
- Supply Chain Compromise:
- In collaborative repos, a harmless MCP config can be submitted and approved. Later, the attacker submits a modification with a malicious command—such as a reverse shell or data exfiltration payload—which is then run silently by Cursor whenever any collaborator opens the project.
- Long-term Persistence:
- Because modified configs are automatically accepted, the attacker’s backdoor or payload is triggered every time any developer (who previously approved the config) opens the project, giving persistent access to their system.
- Prompt Injection via Integrations:
- In environments with agent integrations (e.g., Slack, GitHub bots), another related flaw (CVE-2025-54135, “CurXecute”) allows attackers to craft payloads or messages that overwrite MCP configs, indirectly triggering arbitrary command execution.
3. Impacts and Risks
- Remote Code Execution:
- Exploitation can result in arbitrary commands running in the context of the developer, with access to code, credentials, secrets, and potentially the wider infrastructure.
- Stealth and Persistence:
- The exploit is largely invisible: there are no prompts or alerts after the initial approval, and no obvious indicators of compromise.
4. Mitigation and Remediation Actions
- Patch Information:
- The vulnerability was fixed in Cursor v1.3 (July 29, 2025). The update requires user re-approval on any config file change, blocking silent privilege escalation.
- Immediate Recommendations:
- Upgrade Cursor to v1.3 or later on all machines and CI/CD environments.
- Audit all shared codebases for unauthorized changes in
.cursor/and especially MCP config files. Use version control history to spot unexpected edits. - Restrict write access to configuration files, especially for contributors or automation with broad permissions.
- Manual Review and Caution: Treat agent and automation configs with the same scrutiny as executable scripts. Manually review and approve any changes before re-enabling automation.
- Monitor for Suspicious Activity: Deploy endpoint monitoring to flag unusual subprocesses or network activity stemming from development tools.
5. Broader Security Lessons
- Automated Agent Configs = Attack Surface:
- Any tool that allows “trusted” automation or agent configs should require re-validation on update, as initial approvals can be weaponized later.
- Implicit trust in collaborative or open-source environments is extremely dangerous without robust change/approval controls.
- Defense-in-Depth:
- Combine least privilege, code reviews, and change management with technical safeguards (like prompt re-approval) for all privileged automation components.
Summary
The Cursor code execution flaw (CVE-2025-54136) arose because previously approved and trusted MCP configuration files could be altered and then silently re-executed by Cursor, permitting attackers stealthy and ongoing code execution on developer machines. The issue has been fixed in Cursor v1.3, which requires explicit re-approval on config changes. Developers must upgrade promptly, rigorously audit configuration repositories, and treat automation/agent configs as highly privileged, reviewing them with the utmost security controls to defuse the risk of devastating supply chain and persistence attacks.
