CVE-2025-64109
📋 TL;DR
This vulnerability allows remote code execution in Cursor CLI Beta when a user clones a malicious GitHub repository containing a crafted .cursor/mcp.json file. Attackers can execute arbitrary commands on the victim's system without warning. All users of Cursor CLI Beta versions before 2025.09.17-25b418f are affected.
💻 Affected Systems
- Cursor CLI Beta
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the victim's system allowing attacker to install malware, steal credentials, or pivot to other systems.
Likely Case
Attackers create malicious repositories that execute code when developers clone and open them with Cursor CLI, potentially stealing source code or credentials.
If Mitigated
Limited impact if users only clone trusted repositories and have updated to patched versions.
🎯 Exploit Status
Exploitation requires social engineering to get users to clone malicious repositories. The advisory includes technical details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2025.09.17-25b418f
Vendor Advisory: https://github.com/cursor/cursor/security/advisories/GHSA-4hwr-97q3-37w2
Restart Required: Yes
Instructions:
1. Update Cursor CLI Beta to version 2025.09.17-25b418f or later. 2. Restart Cursor CLI after update. 3. Verify the update was successful.
🔧 Temporary Workarounds
Disable MCP server auto-execution
allPrevent automatic execution of MCP servers from .cursor/mcp.json files
cursor config set mcp.autoStart false
Use regular Cursor editor
allSwitch to the regular Cursor editor which is not affected by this vulnerability
🧯 If You Can't Patch
- Only clone repositories from trusted sources and verify .cursor/mcp.json files before opening projects
- Disable Cursor CLI Beta and use alternative tools until patching is possible
🔍 How to Verify
Check if Vulnerable:
Check if Cursor CLI Beta version is older than 2025.09.17-25b418fCheck Version:
cursor --versionVerify Fix Applied:
Confirm version is 2025.09.17-25b418f or newer and test that malicious .cursor/mcp.json files no longer auto-execute📡 Detection & Monitoring
Log Indicators:
- Unexpected process execution from Cursor CLI
- Commands running from .cursor directories
- Network connections to unexpected MCP servers
Network Indicators:
- Outbound connections from Cursor to unexpected hosts on MCP server ports
SIEM Query:
process_name:"cursor" AND (command_line:"mcp" OR parent_process:"cursor")