Several Vulnerabilities Patched in AI Code Editor Cursor

A vulnerability in the AI code editor Cursor allowed remote attackers to exploit an indirect prompt injection issue to modify sensitive MCP files and execute arbitrary code.

Tracked as CVE-2025-54135 (CVSS score of 8.6), the flaw existed because Cursor did not require user approval when creating a sensitive MCP file.

The security defect allowed an attacker to write a dotfile, such as the .cursor/mcp.json file, through an indirect prompt injection, and then trigger remote code execution (RCE) without the user’s approval.

“If chained with a separate prompt injection vulnerability, this could allow the writing of sensitive MCP files on the host by the agent. This can then be used to directly execute code by adding it as a new MCP server,” Cursor’s advisory reads.

According to Aim Labs, which discovered the bug and called it CurXecute, the issue is that suggested mcp.json edits immediately ...