https://www.aim.security/lp/aim-labs-curxecute-blogpost
Security researchers at Aim Security have discovered a critical vulnerability dubbed CurXecute in the popular AI-powered code editor Cursor, which affects nearly all versions of the IDE and can be exploited to execute remote code with developer privileges. The security flaw, now tracked as CVE-2025-54135 with a medium-severity score of 8.6, can be leveraged by feeding malicious prompts to the AI agent, potentially opening the door to ransomware attacks and data theft incidents targeting software developers.
The vulnerability exploits Cursor’s support for the Model Context Protocol (MCP), an open-standard framework that extends AI agent capabilities by allowing connections to external data sources and tools such as Slack, GitHub, and databases. Attackers can leverage this functionality through externally-hosted prompt injections that rewrite the ~/.cursor/mcp.json configuration file in project directories, enabling arbitrary command execution. The attack is particularly dangerous because Cursor does not require user confirmation for executing new entries to the configuration file, and suggested edits trigger command execution even if users reject the changes.
Aim Security researchers demonstrated how attackers could exploit standard MCP servers like Slack by posting malicious prompts with injection payloads to public channels. When victims instruct their AI agent to summarize messages, the malicious payload immediately lands on their system without approval, effectively turning the AI agent into a local shell. The researchers reported the vulnerability privately to Cursor on July 7, leading to a patch being merged the following day and the release of Cursor version 1.3 on July 29 with a comprehensive fix. Users are strongly advised to update to the latest version immediately to protect against potential attacks that could lead to system compromise, data exfiltration, or AI manipulation through malicious hallucinations.