Prompt Injection to Code Execution: Cursor Code Editor Hit by Critical MCP Vulnerabilities (CVE-2025-54135 & CVE-2025-54136)
Ddos 
Cursor, an AI-powered code editor that promises to βunderstand your codebase and help you code faster,β has issued patches for two severe vulnerabilities that could enable remote code execution (RCE) without user interaction. Tracked as CVE-2025-54135 and CVE-2025-54136, both flaws involve MCP (Multi-Context Prompting) configuration filesβa powerful mechanism for controlling AI assistant behavior in the workspace.
CVE-2025-54135 (CVSS 8.6): Prompt Injection Chain to RCE
The first flaw arises from how Cursor Agent handles prompt-generated file writes. If a file like .cursor/mcp.json does not already exist, the agent can create itβwithout user consent. This creates a dangerous attack chain:
- Step 1: Inject a malicious prompt to trick the AI agent.
- Step 2: The agent creates a sensitive MCP config file.
- Step 3: The file is configured to load a malicious MCP server.
Code is executed on the victim’s machine silently.
βThis could allow the writing of sensitive MCP files on the host by the agent… and be used to directly execute code,β the advisory warns.
The vulnerability affects Cursor versions β€ 1.2.1, and has been patched in version 1.3.9.
CVE-2025-54136 (CVSS 7.2): MCP Trust Bypass for Persistent RCE
The second flaw is a trust abuse vulnerability in MCP server configuration. Once a user approves an MCP server in a shared GitHub repository, anyone with write access can silently replace the server with a malicious oneβno re-approval required.
βOnce a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt,β the advisory notes.
This opens the door to stealthy, persistent backdoors in collaborative codebases, especially dangerous for enterprise and open-source teams.
βIf an attacker has write permissions on a userβs active branches… the attacker can achieve arbitrary code execution,β the advisory states.
To mitigate this, the updated agent now prompts for re-approval every time an mcpServer entry is modified, not just when itβs initially added.
Related Posts:
- Backdoor by Design: Malicious npm Packages Hijack Cursor IDE on macOS
- Google Gemini to Support Anthropic’s Model Context Protocol (MCP)
- Google Firebase Studio Launches as AI-Powered IDE Rival to Cursor AI
- A New Era for Windows: Microsoft’s Protocol Transforms OS into AI Agent Platform
- Toxic Agent Flow: GitHub MCP Vulnerability Exposes Private Repositories
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
