CVE-2025-54135

Name of the Vulnerable Software and Affected Versions Cursor versions prior to 1.3.9

Description Cursor, an AI-powered code editor, had a flaw that allowed writing files in the workspace without user approval in versions prior to 1.3.9. If a sensitive MCP file, such as .cursor/mcp.json, did not exist, an attacker could chain an indirect prompt injection vulnerability to hijack the context and write to the settings file, triggering remote code execution (RCE) without user approval. The vulnerability, dubbed “CurXecute” (CVE-2025-54135), stems from the Model Context Protocol (MCP) and allows attackers to exploit prompt injection through various third-party MCP servers like Slack and GitHub. Exploitation could lead to ransomware attacks, data theft, and AI manipulation.

Recommendations Update to version 1.3.9 or later.