Cursor IDE vulnerability enables persistent code execution through AI plugin trust bypass
Take action: If you're using Cursor AI code editor, upgrade to version 1.3 or later to avoid the MCPoison vulnerability that can be abused by attackers to send code execution through poisoned MCP configurations. If you can't upgrade right away, restrict who can modify .cursor/rules/mcp.json files in your repositories and treat these MCP configurations like critical code that requires thorough review before approval.
Learn More
Cursor has addressed a security vulnerability in its popular AI-powered code editor that enables persistent code execution attacks through its Model Context Protocol (MCP) framework.
The flaw, tracked as CVE-2025-54136 (CVSS score 7.2), allows attackers to bypass trust validation mechanisms and achieve remote code execution on developer machines without triggering security warnings or additional user prompts. AI-assisted development tools introduce new attack vectors when trust models fail to account for configuration changes over time.
The vulnerability was discovered in July 2025 by Checkpoint security researchers, who dubbed the attack "MCPoison" due to its ability to poison previously trusted MCP configurations. The IDE requires initial user approval for MCP configurations stored in the .cursor/rules/mcp.json file of a repository, but any subsequent modifications to approved configurations are automatically trusted without additional validation. This creates a scenario where attackers can commit benign-looking MCP files to shared repositories, wait for victims to approve them, then silently replace the configurations with malicious payloads that execute automatically each time the project is opened.
Attack sequence
- Attacker commits benign
.cursor/rules/mcp.jsonfile with harmless command (e.g.,echo "hello") to shared repository - Developer pulls repository and opens project in Cursor IDE
- Cursor prompts for MCP approval - user accepts the seemingly harmless configuration
- Attacker modifies same MCP entry, replacing harmless command with malicious payload (e.g., reverse shell,
cmd.exe /c shell.bat) - No new approval prompt triggered - trust bound to MCP name, not contents
- Victim syncs repository or reopens Cursor project
- Malicious commands execute automatically and silently
- Attack repeats every time Cursor opens the project - achieving persistence without detection
Affected versions of Cursor IDE are 1.2.4 and below
Cursor acknowledged the vulnerability and released a security patch in version 1.3 on July 29, 2025. The update implements mandatory approval prompts for any modifications to MCP configurations, ensuring that even minor changes such as adding a single space character trigger new authorization requirements. Organizations can check their current Cursor version through the application's help menu and upgrade to the latest version to mitigate this critical risk.
Organizations that can't upgrade should implement strict repository access controls to limit who can modify .cursor/rules/mcp.json files, treat MCP configurations as critical code components requiring review processes, and monitor IDE activity for automated command executions that could indicate compromise.
