8.8
HIGH CVSS 3.1
CVE-2025-54136
Cursor's Modification of MCP Server Definitions Bypasses Manual Re-approvals
Description

Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. This is fixed in version 1.3.

INFO

Published Date :

Aug. 2, 2025, 12:15 a.m.

Last Modified :

Aug. 25, 2025, 1:41 a.m.

Remotely Exploit :

Yes !
Affected Products

The following products are affected by CVE-2025-54136 vulnerability. Even if cvefeed.io is aware of the exact versions of the products that are affected, the information is not represented in the table below.

ID Vendor Product Action
1 Anysphere cursor
CVSS Scores
The Common Vulnerability Scoring System is a standardized framework for assessing the severity of vulnerabilities in software and systems. We collect and displays CVSS scores from various sources for each CVE.
Score Version Severity Vector Exploitability Score Impact Score Source
CVSS 3.1 HIGH [email protected]
CVSS 3.1 HIGH [email protected]
Solution
Update Cursor to version 1.3 to fix remote code execution via MCP files.
  • Update Cursor to version 1.3 or later.
  • Review and validate all MCP configuration files.
  • Restrict write permissions on active branches.
  • Implement code review for MCP files.
Public PoC/Exploit Available at Github

CVE-2025-54136 has a 49 public PoC/Exploit available at Github. Go to the Public Exploits tab to see the list.

References to Advisories, Solutions, and Tools

Here, you will find a curated list of external links that provide in-depth information, practical solutions, and valuable tools related to CVE-2025-54136.

URL Resource
https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395 Vendor Advisory
CWE - Common Weakness Enumeration

While CVE identifies specific instances of vulnerabilities, CWE categorizes the common flaws or weaknesses that can lead to vulnerabilities. CVE-2025-54136 is associated with the following CWEs:

Common Attack Pattern Enumeration and Classification (CAPEC)

We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).

MCP 安全扫描器,10/10 OWASP MCP Top 10 全覆盖,零 API 依赖,pip install 即用

Python

Updated: 21 hours, 44 minutes ago
0 stars 0 fork 0 watcher
Born at : June 30, 2026, 5:08 a.m. This repo has been linked 2 different CVEs too.

Detection-engineering for MCP: working Sigma rules for the OWASP MCP Top 10 + isolated home-lab + zero-dependency validator (git clone && python3 validate.py).

ai-security detection-engineering mcp model-context-protocol owasp purple-team security sigma soc threat-detection

Python

Updated: 4 days ago
0 stars 0 fork 0 watcher
Born at : June 28, 2026, 1:38 p.m. This repo has been linked 3 different CVEs too.

Prompt-injection / hidden-content scanner for LLM inputs. Monorepo (shared core + Claude Desktop MCP server + browser-only Web). All processing runs locally.

JavaScript HTML

Updated: 4 days, 1 hour ago
1 stars 0 fork 0 watcher
Born at : June 26, 2026, 12:04 p.m. This repo has been linked 2 different CVEs too.

HydraSentry - HydraDB-native context-integrity harness + MCP security cockpit for memory-powered AI agents (HydraDB Build Blitz).

Python CSS TypeScript JavaScript HTML TeX

Updated: 4 days, 5 hours ago
0 stars 0 fork 0 watcher
Born at : June 24, 2026, 9:54 p.m. This repo has been linked 1 different CVEs too.

AETHER_01 — Full-spectrum Windows 10/11 MCP Server on Rust. 10 tools, 99% system management coverage including GUI automation. Maximum speed, maximum security.

mcp mcp-server rust system-administration windows windows-automation

Rust PowerShell JavaScript

Updated: 4 days, 1 hour ago
0 stars 0 fork 0 watcher
Born at : June 22, 2026, 6:49 a.m. This repo has been linked 3 different CVEs too.

A semantic scanner for malicious MCP servers and agent skills — prompt-injection, tool-poisoning, rug-pulls, excessive agency.

agent-security ai-security mcp owasp prompt-injection python supply-chain

Python

Updated: 1 week, 3 days ago
0 stars 0 fork 0 watcher
Born at : June 20, 2026, 7:36 a.m. This repo has been linked 2 different CVEs too.

Safety-review a third-party agent skill before it can act. Injection-proof deterministic scanner + sandboxed semantic pass. /airlock for Claude Code.

Python

Updated: 2 weeks, 4 days ago
0 stars 0 fork 0 watcher
Born at : June 13, 2026, 11:57 p.m. This repo has been linked 1 different CVEs too.

Two structural MCP-layer vulnerabilities in Claude Code allowing usage of CC without limitations (tool-result injection, tool-description poisoning).

Shell JavaScript C Makefile

Updated: 2 weeks, 4 days ago
0 stars 0 fork 0 watcher
Born at : June 13, 2026, 2:26 p.m. This repo has been linked 5 different CVEs too.

None

JavaScript TypeScript CSS Solidity Dockerfile

Updated: 2 weeks, 4 days ago
0 stars 0 fork 0 watcher
Born at : June 13, 2026, 1:54 a.m. This repo has been linked 3 different CVEs too.

Dynamic red-team probe for MCP servers, mapped to the OWASP MCP Top 10. Finds tool poisoning, hidden-instruction smuggling, and lethal-trifecta exposure.

Python

Updated: 2 weeks, 5 days ago
0 stars 0 fork 0 watcher
Born at : June 12, 2026, 5:59 p.m. This repo has been linked 1 different CVEs too.

Arquitetura baseada em Model Context Protocol para consultas seguras de agentes LLM a bancos de dados relacionais.

Python PLpgSQL

Updated: 2 weeks, 3 days ago
0 stars 0 fork 0 watcher
Born at : June 11, 2026, 9:32 p.m. This repo has been linked 1 different CVEs too.

MCP Security App

Python HTML Dockerfile JavaScript CSS Go Template Makefile TypeScript

Updated: 2 weeks, 5 days ago
0 stars 0 fork 0 watcher
Born at : June 11, 2026, 10 a.m. This repo has been linked 1 different CVEs too.

MCP server hardening linter — capability declarations, transport, tool descriptions

ai-security cognis-digital cognis-neural-suite mcpharden ai-safety automation cli llm-security mcp mcp-server prompt-injection python self-hosted model-context-protocol network-security agent-security ai cognis llm machine-learning

Dockerfile Python Shell Go JavaScript Rust HCL PowerShell

Updated: 1 week, 2 days ago
1 stars 0 fork 0 watcher
Born at : June 8, 2026, 5:36 a.m. This repo has been linked 3 different CVEs too.

AEGIS Security AI Agent

TypeScript CSS JavaScript Python HTML

Updated: 3 weeks, 3 days ago
0 stars 0 fork 0 watcher
Born at : June 7, 2026, 2:52 p.m. This repo has been linked 2 different CVEs too.

Visual AI workflow builder - drag nodes onto a canvas, run them as a live LangGraph, expose each workflow as an MCP tool.

Python JavaScript TypeScript CSS Dockerfile

Updated: 3 weeks, 4 days ago
0 stars 0 fork 0 watcher
Born at : June 3, 2026, 6:19 p.m. This repo has been linked 1 different CVEs too.

Results are limited to the first 15 repositories due to potential performance issues.

The following list is the news that have been mention CVE-2025-54136 vulnerability anywhere in the article.

  • The Hacker News
Critical Cursor Flaws Could Let Prompt Injection Escape Sandbox and Run Commands

Two flaws in Cursor, an AI code editor, could let a single, ordinary-looking prompt break out of the editor's safety sandbox and run any command on a developer's computer. There is no click to fall fo ... Read more

Published Date: Jul 01, 2026 (23 hours, 7 minutes ago)
  • The Hacker News
Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs

A high-severity flaw in Amazon Q Developer let a malicious repository run commands and steal a developer's cloud credentials. The path was short: a developer opens the repo, trusts the workspace, and ... Read more

Published Date: Jun 26, 2026 (5 days, 23 hours ago)
  • Proofpoint
CursorJack: weaponizing Deeplinks to exploit Cursor IDE

Author’s Note: This post reflects Proofpoint Threat Research observations in a controlled test environment as of January 19, 2026. Proofpoint has no commercial, customer, partner, or vendor relationsh ... Read more

Published Date: Mar 17, 2026 (3 months, 2 weeks ago)
  • Daily CyberSecurity
The Poisoned Pickle: Critical Unpatched RCE Flaws Expose SGLang AI Infrastructure

Security researchers have issued a warning to the AI development community following the discovery of critical vulnerabilities in SGLang, a popular open-source serving framework for Large Language Mod ... Read more

Published Date: Mar 16, 2026 (3 months, 2 weeks ago)
  • Daily CyberSecurity
CVE-2026-2256: Unpatched Flaw in MS-Agent Lets Hackers Hijack AI Assistants

We are officially entering the era of the “autonomous agent”—smart AI programs that don’t just chat with you, but actually do things on your computer, like organizing files, searching the web, or runn ... Read more

Published Date: Mar 03, 2026 (3 months, 4 weeks ago)
  • Daily CyberSecurity
Critical 9.8 Flaw in Langflow’s AI CSV Agent Opens a Direct Path to Root Shell

Artificial intelligence is making it easier than ever to build complex applications, but a newly discovered vulnerability shows that these same tools can inadvertently leave the front door wide open f ... Read more

Published Date: Mar 02, 2026 (4 months ago)
  • TheCyberThrone
CVE-2025-53786 affects Microsoft Exchange

August 7, 2025CVE-2025-53786 is a high-severity elevation of privilege vulnerability found in Microsoft Exchange Server hybrid deployments. The flaw allows an attacker with administrative access to an ... Read more

Published Date: Aug 07, 2025 (10 months, 3 weeks ago)
  • TheCyberThrone
Trend Micro Apex One Critical Vulnerabilities

August 7, 2025OverviewIn early August 2025, Trend Micro issued an urgent security bulletin disclosing two actively exploited critical vulnerabilities in its Apex One and Apex One as a Service (on-prem ... Read more

Published Date: Aug 07, 2025 (10 months, 3 weeks ago)
  • TheCyberThrone
CVE-2025-54136 affects Vibe Coding tool Cursor

August 6, 2025A critical code execution vulnerability, tagged as CVE-2025-54136 (also dubbed “MCPoison”), was found in the Cursor AI-powered code editor. This vulnerability is particularly dangerous f ... Read more

Published Date: Aug 06, 2025 (10 months, 3 weeks ago)
  • CybersecurityNews
New MCPoison Attack Leverages Cursor IDE MCP Validation to Execute Arbitrary System Commands

A critical vulnerability in Cursor IDE, the rapidly growing AI-powered development environment, enables persistent remote code execution through manipulation of the Model Context Protocol (MCP) system ... Read more

Published Date: Aug 05, 2025 (10 months, 3 weeks ago)
  • The Hacker News
Cursor AI Code Editor Vulnerability Enables RCE via Malicious MCP File Swaps Post Approval

Aug 05, 2025Ravie LakshmananAI Security / MCP Protocol Cybersecurity researchers have disclosed a high-severity security flaw in the artificial intelligence (AI)-powered code editor Cursor that coul ... Read more

Published Date: Aug 05, 2025 (10 months, 3 weeks ago)
  • Daily CyberSecurity
The Telecom Threat: Liminal Panda’s Covert Campaign Targets Southwest Asian Critical Infrastructure

High-level chain of events in the attack investigated by Unit 42 In a revealing report by Palo Alto Networks’ Unit 42, a high-level cyberespionage campaign targeting critical telecommunications infras ... Read more

Published Date: Aug 04, 2025 (10 months, 4 weeks ago)
  • Daily CyberSecurity
Prompt Injection to Code Execution: Cursor Code Editor Hit by Critical MCP Vulnerabilities (CVE-2025-54135 & CVE-2025-54136)

Cursor, an AI-powered code editor that promises to “understand your codebase and help you code faster,” has issued patches for two severe vulnerabilities that could enable remote code execution (RCE) ... Read more

Published Date: Aug 04, 2025 (10 months, 4 weeks ago)
  • Daily CyberSecurity
Storm-2603: Chinese APT Deploys Warlock & LockBit with AK47C2 Framework

Antivirus Terminator supported arguments when run without parameters | Image: Check Point Check Point Research (CPR) has detailed a previously undocumented Chinese-affiliated threat actor—Storm-2603—l ... Read more

Published Date: Aug 04, 2025 (10 months, 4 weeks ago)

The following table lists the changes that have been made to the CVE-2025-54136 vulnerability over time.

Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.

  • Initial Analysis by [email protected]

    Aug. 25, 2025

    Action Type Old Value New Value
    Added CVSS V3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
    Added CPE Configuration OR *cpe:2.3:a:anysphere:cursor:*:*:*:*:*:*:*:* versions up to (excluding) 1.3
    Added Reference Type GitHub, Inc.: https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395 Types: Vendor Advisory
  • New CVE Received by [email protected]

    Aug. 02, 2025

    Action Type Old Value New Value
    Added Description Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. This is fixed in version 1.3.
    Added CVSS V3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
    Added CWE CWE-78
    Added Reference https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395
EPSS is a daily estimate of the probability of exploitation activity being observed over the next 30 days. Following chart shows the EPSS score history of the vulnerability.