CVE-2025-54135
📋 TL;DR
Cursor code editor versions below 1.3.9 allow attackers to exploit indirect prompt injection to write malicious MCP configuration files without user approval, leading to remote code execution. This affects users running vulnerable Cursor versions who interact with untrusted AI prompts or content. The vulnerability requires chaining with prompt injection but can result in complete system compromise.
💻 Affected Systems
- Cursor AI Code Editor
📦 What is this software?
Cursor by Anysphere
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution on victim's machine, allowing attacker to install malware, steal credentials, or pivot to other systems.
Likely Case
Attacker gains code execution in user context, potentially accessing sensitive files, development environments, or credentials.
If Mitigated
Limited impact if prompt injection is prevented or user runs in sandboxed environment.
🎯 Exploit Status
Requires successful indirect prompt injection first. Attack chain involves writing malicious MCP configuration to trigger RCE.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.9
Vendor Advisory: https://github.com/cursor/cursor/security/advisories/GHSA-4cxx-hrm3-49rm
Restart Required: Yes
Instructions:
1. Open Cursor editor. 2. Go to Settings > About. 3. Check current version. 4. If below 1.3.9, update via built-in updater or download from official website. 5. Restart Cursor after update.
🔧 Temporary Workarounds
Create existing MCP configuration
allCreate a .cursor/mcp.json file in workspace to prevent attacker from creating malicious one
mkdir -p .cursor
echo '{}' > .cursor/mcp.json
Disable MCP features
allDisable Model Context Protocol features if not needed
🧯 If You Can't Patch
- Avoid using Cursor with untrusted AI prompts or content
- Run Cursor in sandboxed environment or virtual machine
🔍 How to Verify
Check if Vulnerable:
Check Cursor version in Settings > About. If version is below 1.3.9, you are vulnerable.Check Version:
Cursor shows version in About dialog. No CLI command available.Verify Fix Applied:
Verify version is 1.3.9 or higher in Settings > About. Check that .cursor/mcp.json files require approval for creation.📡 Detection & Monitoring
Log Indicators:
- Unexpected creation of .cursor/mcp.json files
- Unusual MCP server connections
- Suspicious process execution from Cursor context
Network Indicators:
- Connections to unexpected MCP servers
- Outbound connections from Cursor to unusual destinations
SIEM Query:
Process creation where parent process contains 'cursor' AND command line contains suspicious patterns like 'curl', 'wget', 'powershell' with unusual arguments