A vulnerability in the Cursor AI-powered integrated development environment (IDE) could risk remote code execution (RCE), Aim Security reported Friday.The flaw, tracked as CVE-2025-54135 and dubbed “CurXecute” by Aim Labs, has a high CVSS score of 8.6, researchers said.An attacker could craft a prompt injection to cause Cursor to make changes to its mcp.json configuration file that are automatically executed without approval, according to Aim Security.The CurXecute proof-of-concept (PoC) exploit presented by Aim Labs involves untrusted data ingested by Cursor from a model context protocol (MCP) server, such as Slack.In the demonstrated scenario, an attacker sends their crafted prompt injection to a public Slack channel accessible by Cursor, which is triggered when a user asks Cursor to use Slack tools to summarize their messages.The injection includes instructions to “improve” the mcp.json file by adding code that would execute an attacker-controlled file hosted on the MCP server.“When the agent suggests an edit to mcp.json, the edit already lands on disk, triggering command execution even if the user rejects the suggestion,” the Aim Labs authors wrote.Aim Security said it reported the issue to Cursor on July 7, 2025, and a fix was added to Cursor version 1.3.Although Aim Security’s blog post indicated a security advisory would be published by Cursor, an advisory for CVE-2025-54135 had not yet been added to the security page of Cursor’s GitHub repository by the time of writing. SC Media reached out to the Cursor security team and Cursor owner Anysphere for more information about CVE-2025-54135 and did not receive a response by the time of this writing.Aim Security previously discovered a Microsoft 365 Copilot flaw tracked as CVE-2025-32711 and dubbed “EchoLeak,” which could enable an attacker to extract sensitive information from a user’s connected Microsoft 365 services by sending an email containing a crafted prompt injection.The risks of untrusted data sent via MCP servers was also demonstrated in a PoC attack described by Cato Networks in June 2025, which could cause sensitive information to be leaked by AI tools connected to Atlassian’s MCP via prompt injections submitted as Jira support tickets.
AI/ML, Vulnerability Management, Exposure management
Cursor flaw risks RCE from prompt injections on MCP server, researchers say
(Credit: Robert – stock.adobe.com)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds