CVE-2025-54135
Cursor Agent is vulnerable to prompt injection via MCP Special Files
Description
Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file don't already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9.
INFO
Published Date :
Aug. 5, 2025, 1:15 a.m.
Last Modified :
June 17, 2026, 9:39 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | |||||
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 3.1 | CRITICAL | [email protected] |
Solution
- Update Cursor to version 1.3.9 or later.
- Review workspace file editing permissions.
- Avoid editing sensitive dotfiles without approval.
Public PoC/Exploit Available at Github
CVE-2025-54135 has a 40 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-54135.
| URL | Resource |
|---|---|
| https://github.com/cursor/cursor/security/advisories/GHSA-4cxx-hrm3-49rm | Mitigation Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-54135 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-54135
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Makefile Shell HTML Python
A curated, opinionated list of resources for securing AI agents, LLMs, and the Model Context Protocol (MCP) — attacks, defenses, tools, labs, and research. All links verified.
agent-security ai-agents ai-safety ai-security awesome awesome-list cybersecurity jailbreak llm llm-security mcp mcp-security owasp prompt-injection red-teaming
AETHER_01 — Full-spectrum Windows 10/11 MCP Server on Rust. 10 tools, 99% system management coverage including GUI automation. Maximum speed, maximum security.
mcp mcp-server rust system-administration windows windows-automation
Rust PowerShell JavaScript
A semantic scanner for malicious MCP servers and agent skills — prompt-injection, tool-poisoning, rug-pulls, excessive agency.
agent-security ai-security mcp owasp prompt-injection python supply-chain
Python
None
Dockerfile Shell Go
None
JavaScript TypeScript CSS Solidity Dockerfile
MCP server hardening linter — capability declarations, transport, tool descriptions
ai-security cognis-digital cognis-neural-suite mcpharden ai-safety automation cli llm-security mcp mcp-server prompt-injection python self-hosted model-context-protocol network-security agent-security ai cognis llm machine-learning
Dockerfile Python Shell Go JavaScript Rust HCL PowerShell
Trust nothing. Ship safely. — Skeptical-reading and prompt-injection defense skill for AI agents. Provenance tagging, red-flag patterns, refusal templates, and a read-only injection auditor. MIT.
Shell
Sandbox any MCP server in one line. Firecracker microVM isolation for Claude Desktop, Cursor, Windsurf, and every MCP client.
ai-security claude-desktop cursor firecracker isolation mcp mcp-server sandbox security
AI agent configuration security auditor — find misconfigurations in Claude Code, Cursor, and other AI tools
ai ai-agents claude claude-code devsecops go llm security security-audit aisecurity
Go Dockerfile Shell
Command-line interface for Declaw — security-first sandboxing for AI agents
ai-security cli firecracker mcp mcp-server sandbox security ai-agents code-execution command-line devtools golang llm microvm model-context-protocol sandboxing
Makefile Go Shell
Research note on indirect prompt injection through files presented as legitimate work artifacts.
A curated list of attack classes and its defenses when building a production grade agents workflow for organizational data.
None
None
Dockerfile Python Shell CSS
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-54135 vulnerability anywhere in the article.
-
The Hacker News
Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands
Two flaws in Cursor, an AI code editor, could let a single, ordinary-looking prompt break out of the editor's safety sandbox and run any command on a developer's computer. There is no click to fall fo ... Read more
-
Daily CyberSecurity
The Poisoned Pickle: Critical Unpatched RCE Flaws Expose SGLang AI Infrastructure
Security researchers have issued a warning to the AI development community following the discovery of critical vulnerabilities in SGLang, a popular open-source serving framework for Large Language Mod ... Read more
-
Daily CyberSecurity
CVE-2026-2256: Unpatched Flaw in MS-Agent Lets Hackers Hijack AI Assistants
We are officially entering the era of the “autonomous agent”—smart AI programs that don’t just chat with you, but actually do things on your computer, like organizing files, searching the web, or runn ... Read more
-
Daily CyberSecurity
Critical 9.8 Flaw in Langflow’s AI CSV Agent Opens a Direct Path to Root Shell
Artificial intelligence is making it easier than ever to build complex applications, but a newly discovered vulnerability shows that these same tools can inadvertently leave the front door wide open f ... Read more
-
The Hacker News
5 Threats That Reshaped Web Security This Year [2025]
As 2025 draws to a close, security professionals face a sobering realization: the traditional playbook for web security has become dangerously obsolete. AI-powered attacks, evolving injection techniqu ... Read more
-
Kaspersky
Security risks of vibe coding and LLM assistants for developers
Although the benefits of AI assistants in the workplace remain debatable, where they’re being adopted most confidently of all is in software development. Here, LLMs play many roles — from refactoring ... Read more
-
TheCyberThrone
CVE-2025-54136 affects Vibe Coding tool Cursor
August 6, 2025A critical code execution vulnerability, tagged as CVE-2025-54136 (also dubbed “MCPoison”), was found in the Cursor AI-powered code editor. This vulnerability is particularly dangerous f ... Read more
-
CybersecurityNews
AI-Powered Code Editor Cursor IDE Vulnerability Enables Remote Code Without User Interaction
A severe vulnerability in the popular AI-powered code editor Cursor IDE, dubbed “CurXecute,” allows attackers to execute arbitrary code on developers’ machines without any user interaction. The vulner ... Read more
-
Daily CyberSecurity
The Telecom Threat: Liminal Panda’s Covert Campaign Targets Southwest Asian Critical Infrastructure
High-level chain of events in the attack investigated by Unit 42 In a revealing report by Palo Alto Networks’ Unit 42, a high-level cyberespionage campaign targeting critical telecommunications infras ... Read more
-
Daily CyberSecurity
Prompt Injection to Code Execution: Cursor Code Editor Hit by Critical MCP Vulnerabilities (CVE-2025-54135 & CVE-2025-54136)
Cursor, an AI-powered code editor that promises to “understand your codebase and help you code faster,” has issued patches for two severe vulnerabilities that could enable remote code execution (RCE) ... Read more
-
Daily CyberSecurity
Storm-2603: Chinese APT Deploys Warlock & LockBit with AK47C2 Framework
Antivirus Terminator supported arguments when run without parameters | Image: Check Point Check Point Research (CPR) has detailed a previously undocumented Chinese-affiliated threat actor—Storm-2603—l ... Read more
-
The Hacker News
Cursor AI Code Editor Fixed Flaw Allowing Attackers to Run Commands via Prompt Injection
Cybersecurity researchers have disclosed a now-patched, high-severity security flaw in Cursor, a popular artificial intelligence (AI) code editor, that could result in remote code execution. The vulne ... Read more
-
BleepingComputer
AI-powered Cursor IDE vulnerable to prompt-injection attacks
A vulnerability that researchers call CurXecute is present in almost all versions of the AI-powered code editor Cursor, and can be exploited to execute remote code with developer privileges. The secur ... Read more
The following table lists the changes that have been made to the
CVE-2025-54135 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by [email protected]
Jun. 17, 2026
Action Type Old Value New Value Added Affected [{'vendor': 'cursor', 'product': 'cursor', 'versions': [{'status': 'affected', 'version': '< 1.3.9'}]}] -
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Jun. 17, 2026
Action Type Old Value New Value Added SSVC {'id': 'CVE-2025-54135', 'role': 'CISA Coordinator', 'options': [{'exploitation': 'none'}, {'automatable': 'no'}, {'technicalImpact': 'total'}], 'version': '2.0.3', 'timestamp': '2025-08-05T13:58:32.369007Z'} -
Initial Analysis by [email protected]
Aug. 25, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:anysphere:cursor:*:*:*:*:*:*:*:* versions up to (excluding) 1.3.9 Added Reference Type GitHub, Inc.: https://github.com/cursor/cursor/security/advisories/GHSA-4cxx-hrm3-49rm Types: Mitigation, Vendor Advisory -
New CVE Received by [email protected]
Aug. 05, 2025
Action Type Old Value New Value Added Description Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file don't already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9. Added CVSS V3.1 AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H Added CWE CWE-78 Added CWE CWE-829 Added Reference https://github.com/cursor/cursor/security/advisories/GHSA-4cxx-hrm3-49rm