A vulnerability researchers name Curxecute exists in nearly each model of AI-powered code editor cursors and will be exploited to run distant code with developer privileges.
The safety challenge is presently recognized as CVE-2025-54135 and will be exploited by triggering an attacker management command on a malicious immediate for AI brokers.
The cursor built-in improvement setting (IDE) depends on AI brokers to assist builders code quicker and extra effectively, permitting builders to connect with exterior sources and techniques utilizing Mannequin Context Protocol (MCP).
Researchers say that by exploiting Curxecute’s vulnerabilities, hackers may open the door to ransomware and information theft.
Immediate injection assault
Curxecute is much like the echokey vulnerability in Microsoft 365 Copilot, which can be utilized to steal delicate information with out consumer interplay.
After discovering and understanding ECHOLEK, researchers at AI cybersecurity firm AIM Safety discovered that even native AI brokers could possibly be affected by exterior components of malicious conduct.
The Cursor IDE helps the MCP Open Customary framework. This permits the agent’s capabilities and context to connect with exterior information sources and instruments.
“MCP spins up native brokers to any server, calling Slack, GitHub, databases, and calling and calling. software From pure language” – purpose safety
Nevertheless, researchers warn that this might undermine the agent because it exposes the agent to exterior, untrusted information that would have an effect on its management move.
Hackers can use this to hijack agent classes and privileges and act on behalf of the consumer.
Through the use of fast injection of exterior hosts, the attacker can ~/.cursor/mcp.json File within the challenge listing to allow distant execution of any command.
Researchers clarify that the cursor doesn’t require affirmation to execute a brand new entry ~/.cursor/mcp.json The recordsdata and their proposed edits are reside and can set off the execution of the command even when the consumer rejects them.
A report shared with BleepingComputer states that including an ordinary MCP server, comparable to Slack, to the cursor can expose brokers to untrusted information.
An attacker can use the injected payload to publish malicious prompts to a public channel. MCP.JSON Configuration file.
When the sufferer opens a brand new chat and tells the agent to summarize the message, any payload that would develop into a shell will instantly land on disk with out consumer approval.
“The assault floor is Any Third-party MCP servers that deal with exterior content material: trackers, buyer help inboxes, and even search engines like google. A single poison doc can rework AI brokers into native shells” – AIM Safety
Researchers have created a video displaying how Cruxcute can be utilized in assaults.
AIM Safety researchers say that whimsical assaults can result in ransomware or information theft circumstances, or hallucinated AI manipulation that may wreck a challenge.
The researchers personally reported Curxecute to Cursor on July seventh, and the subsequent day the seller built-in the patch into the principle department.
On July twenty ninth, Cursor model 1.3 was launched, with a number of enhancements and CurxeCute fixes. Cursor has additionally revealed a safety advisory for CVE-2025-54135.
Customers are suggested to obtain and set up the newest model of the cursor to keep away from recognized safety dangers.
