Vulnerability in Cursor AI Code Editor enables remote code execution through prompt injection

Aim Labs has disclosed a high-severity vulnerability in the Cursor AI-powered integrated development environment (IDE) that could allow attackers to execute arbitrary commands on developers' machines through a prompt injection attack. 

The flaw, dubbed "CurXecute" is tracked as CVE-2025-54135 (CVSS score 8.6). The flaw exploits Cursor's Model Context Protocol (MCP) implementation, which allows the AI agent to connect with external services such as Slack, GitHub, databases, and other third-party systems to extend its capabilities. Cursor automatically executes new entries added to the ~/.cursor/mcp.json configuration file without user confirmation and combines this with the AI agent's ability to write files based on external input without validation.

An attacker can crafts a malicious prompt and place it in external systems that Cursor's MCP servers can access—such as public Slack channels, GitHub repositories, or customer support systems. The AI agent can be tricked into modifying the MCP configuration file to include malicious server definitions. These malicious entries are immediately executed by Cursor's auto-start mechanism, granting the attacker the ability to run arbitrary commands with developer-level privileges on the victim's machine.

The attack chain requires minimal user interaction 

1. The victim adds a standard MCP server (such as Slack integration) through Cursor's interface
2. An attacker posts a malicious message containing the injection payload in an accessible external location (some Slack channel)
3. When the victim asks the AI agent to interact with that external service, the malicious payload automatically triggers command execution before the user has any opportunity to review or approve the suggested changes.
4. When the Cursor AI Agent suggests modifications to sensitive configuration files, the changes are written to disk immediately, triggering execution even if the user subsequently rejects the suggestion

The flaw has been patched in Cursor version 1.3 released on July 29, 2025, but all earlier versions remain vulnerable to remote code execution attacks.

Aim Labs, which previously reported a similar EchoLeak vulnerability affecting Microsoft 365 Copilot.

Organizations using Cursor IDE should immediately upgrade to version 1.3 or later. Users can verify their current version and check for updates through the application's built-in update mechanism. As an additional precautionary measure, development teams should review their MCP server configurations and remove any unnecessary external integrations that could provide attack vectors.