Critical CVEs

Cursor MCP Server Critical Vulnerabilities

Two critical vulnerabilities (CVE-2025-54135 and CVE-2025-54136) in Cursor's Model Context Protocol server allow attackers to execute arbitrary commands and access files outside allowed directories.

Scan Your Cursor App

CVE-2025-54135: Command Injection

CVE ID

CVE-2025-54135

Severity

Critical (CVSS 9.8)

Vulnerability Type

Command Injection / RCE

Affected Component

Cursor MCP Server

Attack Vector

Network (Prompt Injection)

Disclosure Date

January 2025

CVE-2025-54136: Path Traversal

CVE ID

CVE-2025-54136

Severity

High (CVSS 8.1)

Vulnerability Type

Path Traversal / Directory Escape

Affected Component

Cursor MCP File Operations

Attack Vector

Network (Prompt Injection)

Impact

Arbitrary File Read/Write

Technical Analysis

Command Injection (CVE-2025-54135)

The Cursor MCP server's command execution functionality fails to properly sanitize inputs before passing them to the system shell. When the AI model invokes terminal commands, specially crafted inputs can break out of the intended command context and execute arbitrary code.

Vulnerable Pattern

// Vulnerable code pattern (simplified)
const command = `git status ${userInput}`;
exec(command); // userInput not sanitized

// Attack payload: "; rm -rf / #"
// Results in: git status ; rm -rf / #

Path Traversal (CVE-2025-54136)

The file system operations in Cursor's MCP server do not properly validate file paths. By using path traversal sequences (../) or symlinks, an attacker can read or write files outside the intended project directory.

Attack Example

// Intended: Read files only in /project/src
readFile("/project/src/config.ts")

// Attack: Path traversal to read sensitive files
readFile("/project/src/../../../.ssh/id_rsa")
readFile("/project/src/../../../.aws/credentials")

Attack Scenario

  1. 1Attacker creates malicious content (GitHub repo, npm package, or website) with hidden prompt injection
  2. 2Developer asks Cursor to analyze or integrate the malicious content
  3. 3Hidden instructions in the content cause Cursor to execute malicious commands or access sensitive files
  4. 4Attacker gains access to credentials, source code, or establishes persistent access

Potential Impact

Credential Theft

Access to SSH keys, AWS credentials, API tokens, and other secrets stored on the developer's machine

Source Code Exfiltration

Read any file on the system including proprietary source code and configuration

Backdoor Installation

Modify system files or install persistent malware that survives reboots

Lateral Movement

Use compromised credentials to access cloud resources, CI/CD pipelines, and production systems

Mitigation Steps

Update Cursor Immediately

Ensure you're running the latest version of Cursor with security patches applied

Enable Yolo Mode Carefully

If using 'Yolo mode' (auto-accept commands), disable it or use strict allowlists

Review All Command Executions

Carefully review and approve each terminal command before execution

Use Isolated Development Environments

Run Cursor in containers or VMs without access to sensitive credentials

Audit Trusted Sources

Be cautious with external repositories, packages, and websites you ask Cursor to analyze

Disclosure Timeline

January 2025
Vulnerabilities discovered by security researchers
January 2025
Responsible disclosure to Cursor security team
January 2025
CVE IDs assigned (CVE-2025-54135, CVE-2025-54136)
January 2025
Public disclosure and patch release

Secure Your Cursor Applications

Applications built with AI coding tools need security scanning. Find vulnerabilities before attackers do.

Scan Your App Free

Related Security Resources

MCP Security RisksCursor Security OverviewCursor Security Best PracticesAI Code Vulnerabilities

Last updated: January 2025