CVE-2025-54136
Cursor Remote Code Execution Vulnerability
Description
Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. This is fixed in version 1.3.
INFO
Published Date :
Aug. 2, 2025, 12:15 a.m.
Last Modified :
Aug. 25, 2025, 1:41 a.m.
Remotely Exploit :
Yes !
Source :
[email protected]
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | [email protected] | ||||
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Update Cursor to version 1.3 or later.
- Review and validate all MCP configuration files.
- Restrict write permissions on active branches.
- Implement code review for MCP files.
Public PoC/Exploit Available at Github
CVE-2025-54136 has a 1 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2025-54136.
| URL | Resource |
|---|---|
| https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395 | Vendor Advisory |
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2025-54136 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2025-54136
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
None
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2025-54136 vulnerability anywhere in the article.
-
TheCyberThrone
CVE-2025-53786 affects Microsoft Exchange
August 7, 2025CVE-2025-53786 is a high-severity elevation of privilege vulnerability found in Microsoft Exchange Server hybrid deployments. The flaw allows an attacker with administrative access to an ... Read more
-
TheCyberThrone
Trend Micro Apex One Critical Vulnerabilities
August 7, 2025OverviewIn early August 2025, Trend Micro issued an urgent security bulletin disclosing two actively exploited critical vulnerabilities in its Apex One and Apex One as a Service (on-prem ... Read more
-
TheCyberThrone
CVE-2025-54136 affects Vibe Coding tool Cursor
August 6, 2025A critical code execution vulnerability, tagged as CVE-2025-54136 (also dubbed “MCPoison”), was found in the Cursor AI-powered code editor. This vulnerability is particularly dangerous f ... Read more
-
CybersecurityNews
New MCPoison Attack Leverages Cursor IDE MCP Validation to Execute Arbitrary System Commands
A critical vulnerability in Cursor IDE, the rapidly growing AI-powered development environment, enables persistent remote code execution through manipulation of the Model Context Protocol (MCP) system ... Read more
-
The Hacker News
Cursor AI Code Editor Vulnerability Enables RCE via Malicious MCP File Swaps Post Approval
Aug 05, 2025Ravie LakshmananAI Security / MCP Protocol Cybersecurity researchers have disclosed a high-severity security flaw in the artificial intelligence (AI)-powered code editor Cursor that coul ... Read more
-
Daily CyberSecurity
The Telecom Threat: Liminal Panda’s Covert Campaign Targets Southwest Asian Critical Infrastructure
High-level chain of events in the attack investigated by Unit 42 In a revealing report by Palo Alto Networks’ Unit 42, a high-level cyberespionage campaign targeting critical telecommunications infras ... Read more
-
Daily CyberSecurity
Prompt Injection to Code Execution: Cursor Code Editor Hit by Critical MCP Vulnerabilities (CVE-2025-54135 & CVE-2025-54136)
Cursor, an AI-powered code editor that promises to “understand your codebase and help you code faster,” has issued patches for two severe vulnerabilities that could enable remote code execution (RCE) ... Read more
-
Daily CyberSecurity
Storm-2603: Chinese APT Deploys Warlock & LockBit with AK47C2 Framework
Antivirus Terminator supported arguments when run without parameters | Image: Check Point Check Point Research (CPR) has detailed a previously undocumented Chinese-affiliated threat actor—Storm-2603—l ... Read more
The following table lists the changes that have been made to the
CVE-2025-54136 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
Initial Analysis by [email protected]
Aug. 25, 2025
Action Type Old Value New Value Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Added CPE Configuration OR *cpe:2.3:a:anysphere:cursor:*:*:*:*:*:*:*:* versions up to (excluding) 1.3 Added Reference Type GitHub, Inc.: https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395 Types: Vendor Advisory -
New CVE Received by [email protected]
Aug. 02, 2025
Action Type Old Value New Value Added Description Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. This is fixed in version 1.3. Added CVSS V3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Added CWE CWE-78 Added Reference https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395