CVE-2025-61591

Name of the Vulnerable Software and Affected Versions Cursor versions 1.7 and earlier

Description Cursor, a code editor for programming with AI, has an issue where, when using OAuth authentication with an untrusted MCP server, an attacker can impersonate a malicious server and inject commands. This can lead to command injection and potential remote code execution. If combined with an untrusted MCP service via OAuth, this could allow arbitrary code execution on the host with full user privileges. The vulnerable process involves interaction during OAuth authentication, where crafted commands are returned by the malicious server. The API endpoint used for OAuth authentication is susceptible to manipulation. The MCP server is involved in the authentication process.

Recommendations Apply patch 2025.09.17-25b418f.