August 5, 2025
4 Min Read
Researchers have disclosed two vulnerabilities in Cursor, the popular AI-assisted code editor, that impact its handling of model context protocol (MCP) servers, which could be used to gain code execution on vulnerable systems.
Background
Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding two recently disclosed vulnerabilities in Cursor IDE.
FAQ
What is Cursor?
Cursor is an AI-assisted integrated development environment (IDE), or AI code editor, developed by Anysphere. It was first released in March 2023.
Who uses Cursor?
In January 2025, Cursor had over 1 million users, according to a Bloomberg report. The company states that Cursor is used by over half of the Fortune 500, naming NVIDIA, Uber and Adobe among its customers.
What is CurXecute and MCPoison?
CurXecute and MCPoison are the names given to two separate vulnerabilities in Cursor.
What are the vulnerabilities associated with CurXecute and MCPoison?
The following are the CVEs assigned for both CurXecute and MCPoison:
| CVE | Description | CVSSv3 |
|---|---|---|
| CVE-2025-54135 | Cursor Arbitrary Code Execution Vulnerability (“CurXecute”) | 8.5 |
| CVE-2025-54136 | Cursor Remote Code Execution via Unverified Configuration Modification Vulnerability (“MCPoison”) | 7.2 |
When were these vulnerabilities first disclosed?
CurXecute (CVE-2025-54135) was disclosed on August 1 by researchers at AIM Security while MCPoison (CVE-2025-54136) was disclosed on August 5 by researchers at Check Point Research.
Were any of these vulnerabilities exploited as a zero-day?
No, these vulnerabilities were disclosed to Cursor by the respective researchers through coordinated disclosure on July 7 (CurXecute) and July 16 (MCPoison).
Are there any proofs-of-concept (PoCs) available for CurXecute and MCPoison?
Yes, the researchers have published PoC details on their respective blog posts, explaining how attackers could potentially exploit these flaws.
How severe are CurXecute and MCPoison?
Both vulnerabilities have the potential to be severe, but it is context dependent. The common thread between the two flaws is how Cursor handles interaction with MCP servers.
For a primer on MCP, read the blog Frequently Asked Questions About Model Context Protocol (MCP) and Integrating with AI for Agentic Applications. Additionally, Tenable Research has published investigations into MCP security, including MCP prompt injection and our discovery of a critical flaw in Anthropic MCP Inspector.
In the example outlined by AIM Security for CurXecute, an attacker could leverage prompt injection by targeting an MCP connected to a Slack instance, sending a crafted message that would be processed by the Slack MCP Server and read by Cursor to modify the underlying global mcp.json configuration settings even before the user has a chance to reject the suggested edits by AI. Crucially, Cursor would execute the command added to the modified MCP configuration immediately.
In the example outlined by Check Point Research for MCPoison, the flaw stems from the approval of an MCP server that contains a project-specific configuration (mcp.json). Once this MCP server has been approved by the target, any changes to the underlying configuration are considered trusted because it is bound by the MCP name not its contents. This would allow an attacker to modify the configuration to include malicious commands that would be executed silently and without requiring re-approval.
AI-assisted code editors help with the development of software but they introduce a new layer of risk. Whether through enabling MCP servers that could be vulnerable to prompt injection (CurXecute) or leveraging a seemingly harmless open-source project that is then compromised by a malicious contributor (MCPoison).
Are patches or mitigations available for CurXecute and MCPoison?
Yes, Cursor has released updated versions of its IDE to address both CurXecute and MCPoison.
| CVE | Affected Product | Affected Versions | Fixed Version |
|---|---|---|---|
| CVE-2025-54135 | Cursor | 1.21 and below | 1.3.9 |
| CVE-2025-54136 | Cursor | 1.2.4 and below | 1.3 |
Has Tenable released any product coverage for these vulnerabilities?
A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:
This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.
Customers can also use our MCP Server Detected plugin to identify MCP server usage.
Get more information
- When Public Prompts Turn Into Local Shells: ‘CurXecute’ – RCE in Cursor via MCP Auto‑Start
- MCPoison Cursor IDE: Persistent Code Execution via MCP Trust Bypass
Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.
Satnam Narang
Senior Staff Research Engineer, Security Response
Satnam joined Tenable in 2018. He has over 15 years experience in the industry (M86 Security and Symantec). He contributed to the Anti-Phishing Working Group, helped develop a Social Networking Guide for the National Cyber Security Alliance, uncovered a huge spam botnet on Twitter and was the first to report on spam bots on Tinder. He's appeared on NBC Nightly News, Entertainment Tonight, Bloomberg West, and the Why Oh Why podcast.
Interests outside of work: Satnam writes poetry and makes hip-hop music. He enjoys live music, spending time with his three nieces, football and basketball, Bollywood movies and music and Grogu (Baby Yoda).
- Exposure Management
- Vulnerability Management
Cybersecurity news you can use
Enter your email and never miss timely alerts and security guidance from the experts at Tenable.