CVE-2025-54136

Published Aug 2, 2025

Last updated 7 months ago

CVSS high 7.2
Cursor AI

Overview

Description
Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. This is fixed in version 1.3.
Source
security-advisories@github.com
NVD status
Analyzed
Products
cursor

Risk scores

CVSS 3.1

Type
Primary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-78

Social media

Hype score
Not currently trending

  1. CVE-2025-54136 affects Cursor 1.2.4 and below, enabling RCE through trusted MCP config changes. In shared repos, attackers swap payloads and pivot from a dev workstation. Hack The Box details exploit and fixes: https://t.co/UTmJTsOfI2 #MSSP #CyberSecurity #AppSec #HackTheBox htt

    @HTBJill

    2 Mar 2026

    150 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Your trust issues were right 🫣 CVE-2025-54136 affects Cursor versions 1.2.4 and below and can lead to remote code execution due to how MCP configurations are handled. The first time an MCP config is introduced, the user approves it. After that, any changes to the same file are

    @hackthebox_eu

    2 Mar 2026

    4272 Impressions

    7 Retweets

    63 Likes

    13 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2025-54136 in the Cursor AI editor lets attackers swap trusted MCP configs to achieve remote code execution. MSSPs: ensure Cursor is patched, treat IDE config files like code, and test detections for spawned reverse shells. Read more: https://t.co/66SbJZETP3 #HackTheBox #MSSP

    @HTBJill

    17 Sept 2025

    49 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. #VulnerabilityReport #AIsecurity Prompt Injection to Code Execution: Cursor Code Editor Hit by Critical MCP Vulnerabilities (CVE-2025-54135 & CVE-2025-54136) https://t.co/Ank7mFziga

    @Komodosec

    8 Sept 2025

    43 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. Uwaga, użytkownicy Cursora! W AI-IDE Cursor wykryto krytyczną lukę w zabezpieczeniach (CVE-2025-54136, MCPoison ). Po jednorazowym zatwierdzeniu konfiguracji MCP atakujący mogą ją dyskretnie zastąpić i uzyskać trwałe zdalne wykonanie kodu – bez dalszych monitów.

    @itcontent_eu

    14 Aug 2025

    3 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  6. 🚨 Luka MCPoison (CVE-2025-54136) w Cursor IDE pozwala na trwałe RCE po jednorazowej akceptacji configu MCP. Zmiana .cursor/mcp.json może aktywować złośliwy kod za każdym razem, gdy otwierasz IDE. Załatano w wersji 1.3 — zaktualizuj jak najszybciej! #cybersecurity #Cur

    @itcontent_eu

    14 Aug 2025

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. Jak środowisko Cursor pozwalało na uruchomienie złośliwego kodu – CVE-2025-54136 https://t.co/UMAyWgCTkS

    @AA6382813370063

    13 Aug 2025

    36 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    1 Quote

  8. CVE-2025-54135, CVE-2025-54136: Frequently Asked Questions About Vulnerabilities in Cursor IDE (CurXecute and MCPoison) https://t.co/BKWDFRjedJ https://t.co/6wAqaamGO8

    @IT_Peurico

    12 Aug 2025

    22 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. AI coding tools aren't safe by default. Cursor's MCPoison flaw (CVE-2025-54136) enabled persistent remote code execution—patch or risk compromise. #Cybersecurity #AI https://t.co/Bl0ULjRXOF

    @Serg_Panfilov

    10 Aug 2025

    42 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  10. Unpatched Cursor? MCPoison flaw (CVE-2025-54136) enables silent, permanent malware execution in dev environments. You've been warned. #Cybersecurity #AI https://t.co/tTEks2iyqM

    @Serg_Panfilov

    9 Aug 2025

    56 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  11. CPR just uncovered “MCPoison” — a critical flaw in the AI-powered #Cursor IDE (CVE-2025-54136). The #vulnerability lets attackers silently inject malicious commands via trusted project configurations— no code changes needed. #CheckPointResearch https://t.co/mGOnJV04nZ

    @michael_gazzano

    8 Aug 2025

    28 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  12. CVE-2025-54136 – MCPoison Cursor IDE: Persistent Code Execution via MCP Trust Bypass https://t.co/yjULsEYp9I #appsec

    @eyalestrin

    8 Aug 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  13. If you're using AI coding tools without security audits, you're playing with fire. The Cursor flaw (CVE-2025-54136) allowed permanent malicious code execution—patched but a dire warning. #Cybersecurity #AI https://t.co/3IRGMByiwh

    @Serg_Panfilov

    7 Aug 2025

    35 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  14. CVE-2025-54136 (CVSS:7.2, HIGH) is Awaiting Analysis. Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and per..https://t.co/Hspgf1GoBk #cybersecurityawareness #cybersecurity #CVE #infosec #hacker #nvd #mitre

    @cracbot

    7 Aug 2025

    5 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  15. CVE-2025-54135, CVE-2025-54136: Frequently Asked Questions About Vulnerabilities in Cursor IDE (CurXecute and MCPoison) https://t.co/3b6TVnFVeZ https://t.co/ULQaumRVYb

    @TechMash365

    7 Aug 2025

    51 Impressions

    0 Retweets

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  16. Cursor AI Editor Vulnerability Enables RCE via Malicious File Swap Check Point Research disclosed a high-severity vulnerability (CVE-2025-54136) in the Cursor AI code editor, dubbed MCPoison, enabling remote code execution via malicious changes to a previously trusted MCP https:

    @dCypherIO

    6 Aug 2025

    40 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  17. CVE-2025-54135, CVE-2025-54136: Frequently Asked Questions About Vulnerabilities in Cursor IDE (CurXecute and MCPoison) https://t.co/UOF6VKTRop https://t.co/dg2ItPApM9

    @pcasano

    6 Aug 2025

    26 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  18. CVE-2025-54135, CVE-2025-54136: Frequently Asked Questions About Vulnerabilities in Cursor IDE (CurXecute and MCPoison) https://t.co/KyD1p4OODQ https://t.co/NUjGE27eCu

    @EAlexStark

    6 Aug 2025

    45 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  19. CVE-2025-54135, CVE-2025-54136: Frequently Asked Questions About Vulnerabilities in Cursor IDE (CurXecute and MCPoison) https://t.co/tslGBATqog https://t.co/2F3V3orbnR

    @Art_Capella

    6 Aug 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  20. CVE-2025-54135, CVE-2025-54136: Frequently Asked Questions About Vulnerabilities in Cursor IDE (CurXecute and MCPoison) https://t.co/4Jnrg4oY4d https://t.co/nBRXveLu3d

    @dansantanna

    6 Aug 2025

    4 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  21. CVE-2025-54135, CVE-2025-54136: Frequently Asked Questions About Vulnerabilities in Cursor IDE (CurXecute and MCPoison) https://t.co/977eN0P3dn https://t.co/QqNwPcU9Yz

    @Trej0Jass

    6 Aug 2025

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  22. MCPoison: CVE-2025-54136 CURSOR IDE Persistent Code Execution 🚀 #bugbounty #cursor #CyberSecurity https://t.co/jZM5vzHfaS

    @NullSecurityX

    6 Aug 2025

    583 Impressions

    3 Retweets

    16 Likes

    3 Bookmarks

    0 Replies

    0 Quotes

  23. AI推進 コードエディタ Cursorにクリティカルな脆弱性(CVE-2025-54135,CVE-2025-54136) #セキュリティ対策Lab #セキュリティ #Security https://t.co/1n5OjKxEVW

    @securityLab_jp

    6 Aug 2025

    89 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  24. 🚨 MCPoison: CVE-2025-54136 @_CPResearch_ found a persistent RCE flaw in @cursor_ai's IDE — one approval, silent exploitation, repeated access. AI tooling just met a serious trust issue. 🔗 Read the full breakdown: https://t.co/Hdrpdtf45R #CyberSecurity #cursor https:/

    @CheckPointSW

    5 Aug 2025

    23 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  25. A critical vulnerability in Cursor AI Code Editor (CVE-2025-54136) dubbed MCPoison enables remote code execution through malicious MCP file swaps. Version 1.3 addresses this by requiring re-approval of config changes. #CodeSecurity #MCP #UK https://t.co/3VSrk02yWx

    @TweetThreatNews

    5 Aug 2025

    7 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  26. 🚨 Think approving an app config is NBD? Cursor IDE’s MCP flaw (CVE-2025-54136) turned one “OK” into a hacker’s VIP pass! 🕵️‍♂️ Backdoor city in a snap. Patch now or risk a cyber ambush! Details: https://t.co/k2ywzusszQ #CyberSecurity #InfoSec #PatchNow

    @zench4n

    5 Aug 2025

    32 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  27. Today, i released MCPoison CVE-2025-54136, a persistent remote code execution vulnerability in the Cursor IDE. This marks a new era of client-side exploitation, where AI tools are reshaping the attack surface. https://t.co/9VGPXmnxpZ

    @Od3dV

    5 Aug 2025

    58 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  28. Researchers revealed CVE-2025-54136, a vulnerability in Cursor IDE that allows persistent code execution via a trust bypass in its MCP system, enabling attackers to execute arbitrary commands silently after initial approval. #CyberSecurity #CVE https://t.co/kXGnRUgVHU

    @Cyber_O51NT

    5 Aug 2025

    236 Impressions

    0 Retweets

    1 Like

    2 Bookmarks

    1 Reply

    0 Quotes

  29. 🚨 A high-severity flaw in Cursor AI (CVE-2025-54136) let attackers hijack trusted MCP configs—triggering remote code execution every time you opened the project. No re-prompt. No warning. Just silent compromise by modifying a config file you already... https://t.co/4xKzwRBQ

    @IT_news_for_all

    5 Aug 2025

    36 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  30. 🚨 A high-severity flaw in Cursor AI (CVE-2025-54136) let attackers hijack trusted MCP configs—triggering remote code execution every time you opened the project. No re-prompt. No warning. Just silent compromise by modifying a config file you already trusted. Learn more →

    @TheHackersNews

    5 Aug 2025

    65523 Impressions

    66 Retweets

    142 Likes

    28 Bookmarks

    2 Replies

    9 Quotes

  31. 🚨 New research alert Check Point Research discovered a critical RCE vulnerability (CVE-2025-54136) in Cursor, a fast-growing AI-powered IDE. The flaw allows persistent, silent code execution by modifying previously approved Model Context Protocol (MCP) configs. 🧵More below

    @_CPResearch_

    5 Aug 2025

    12367 Impressions

    34 Retweets

    91 Likes

    41 Bookmarks

    3 Replies

    4 Quotes

  32. AIコードエディタ「Cursor」において、深刻なリモートコード実行(RCE)脆弱性が2件(CVE-2025-54135, CVE-2025-54136)報告され、1.3.9で修正された。

    @yousukezan

    4 Aug 2025

    9271 Impressions

    26 Retweets

    46 Likes

    16 Bookmarks

    0 Replies

    3 Quotes

  33. CVE-2025-54136 Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already… https://t.co/3EIrZym9lR

    @CVEnew

    1 Aug 2025

    363 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Cursor is a code editor built for programming with AI. Sandbox escape via writing .git configuration was possible in versions prior to 2.5. A malicious agent (ie prompt injection) could write to improperly protected .git settings, including git hooks, which may cause out-of-sandbox RCE next time they are triggered. No user interaction was required as Git executes these commands automatically. Fixed in version 2.5.CVE-2026-26268
  2. Cursor is a code editor built for programming with AI. Prior to 2.3, hen the Cursor Agent is running in Auto-Run Mode with Allowlist mode enabled, certain shell built-ins can still be executed without appearing in the allowlist and without requiring user approval. This allows an attacker via indirect or direct prompt injection to poison the shell environment by setting, modifying, or removing environment variables that influence trusted commands. This vulnerability is fixed in 2.3.CVE-2026-22708
  3. Cursor is a code editor built for programming with AI. In versions 1.7.23 and below, a logic bug allows a malicious agent to read sensitive files that should be protected via cursorignore. An attacker who has already achieved prompt injection, or a malicious model, could create a new cursorignore file which can invalidate the configuration of pre-existing ones. This could allow a malicious agent to read protected files. This issue is fixed in version 2.0.CVE-2025-64110
  4. Cursor is a code editor built for programming with AI. In versions 1.7.28 and below, an input validation flaw in Cursor's MCP server installation enables specially crafted deep-links to bypass the standard security warnings and conceal executed commands from users if they choose to accept the server. If an attacker is able to convince a victim to navigate to a malicious deeplink, the victim will not see the correct speedbump modal, and if they choose to accept, will execute commands specified by the attackers deeplink.CVE-2025-64106
  5. Cursor is a code editor built for programming with AI. In versions 1.7.44 and below, various NTFS path quirks allow a prompt injection attacker to circumvent sensitive file protections and overwrite files which Cursor requires human approval to overwrite. Modification of some of the protected files can lead to RCE. Must be chained with a prompt injection or malicious model attach. Only affects systems supporting NTFS. This issue is fixed in version 2.0.CVE-2025-64108

References

Sources include official advisories and independent security research.