A high-severity vulnerability (CVE-2025-54136, CVSS 7.2), dubbed MCPoison, was discovered in Cursor’s AI-powered code editor, enabling remote and persistent code execution via manipulated Model Context Protocol (MCP) configurations. Attackers could exploit this by embedding a benign MCP config in a shared GitHub repository, waiting for victim approval, then silently replacing it with malicious payloads (e.g., backdoors, scripts like `calc.exe`). The flaw stemmed from Cursor’s trust model, which indefinitely trusted approved configs even after modification, exposing organizations to supply chain risks, data theft, and intellectual property exfiltration without detection. The issue was patched in Cursor v1.3 (July 2025) by enforcing re-approval for MCP config changes. However, the vulnerability underscored broader risks in AI-assisted development, including AI supply chain attacks, model poisoning, and unsafe code generation. Research highlighted that 45% of LLM-generated code (Java worst at 72%) introduced OWASP Top 10 vulnerabilities, while novel attack vectors like LegalPwn (prompt injection via legal disclaimers), Man-in-the-Prompt (rogue browser extensions), and MAS hijacking (multi-agent system compromise) further demonstrated systemic weaknesses in AI security paradigms. The flaw’s exploitation could lead to unauthorized data access, lateral movement, and persistent compromise of developer workflows, amplifying risks for enterprises integrating LLMs into critical systems.
Source: https://thehackernews.com/2025/08/cursor-ai-code-editor-vulnerability.html
TPRM report: https://www.rankiteo.com/company/anysphereinc
"id": "any3152731110525",
"linkid": "anysphereinc",
"type": "Vulnerability",
"date": "11/2024",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': ['Software Development',
'AI/ML',
'Developer Tools'],
'name': 'Cursor',
'type': 'Private Company'}],
'attack_vector': ['Shared Repository (GitHub)',
'Local File Modification',
'MCP Configuration Poisoning',
'Supply Chain Compromise'],
'customer_advisories': ['Users recommended to review approved MCP '
'configurations',
'Warning about potential malicious MCP files in '
'collaborative projects'],
'data_breach': {'data_exfiltration': 'Possible (if exploited)',
'file_types_exposed': ['.cursor/rules/mcp.json',
'Potential Script Files'],
'sensitivity_of_data': ['High (Code Execution Capability)',
'Medium (Development Workflow '
'Disruption)'],
'type_of_data_compromised': ['Code Repositories',
'MCP Configuration Files',
'Potential Intellectual '
'Property']},
'date_publicly_disclosed': '2025-07-16',
'date_resolved': '2025-07-31',
'description': 'A high-severity security flaw in the AI-powered code editor '
'Cursor, codenamed MCPoison (CVE-2025-54136, CVSS score: 7.2), '
'allows remote code execution by exploiting a quirk in Model '
'Context Protocol (MCP) server configurations. Attackers can '
'modify an approved MCP configuration file in a shared GitHub '
'repository or locally to achieve persistent code execution '
'without triggering warnings. The vulnerability was patched in '
'Cursor version 1.3 by requiring re-approval for MCP '
'configuration changes.',
'impact': {'brand_reputation_impact': ['Potential Erosion of Trust in AI Code '
'Editors',
'Concerns Over AI Security Posture'],
'data_compromised': ['Potential Intellectual Property Theft',
'Codebase Compromise',
'Sensitive Project Data'],
'operational_impact': ['Supply Chain Risk Exposure',
'Loss of Trust in AI Tools',
'Disruption of Development Workflows'],
'systems_affected': ['Cursor AI (versions < 1.3)',
'AI-Assisted Development Environments',
'LLM-Integrated Workflows']},
'initial_access_broker': {'backdoors_established': 'Persistent code execution '
'via modified MCP config',
'entry_point': ['Shared GitHub Repository',
'Local MCP Configuration File'],
'high_value_targets': ['Development Environments',
'Intellectual Property',
'Build Systems']},
'investigation_status': 'Resolved (Patched)',
'lessons_learned': ['AI tool trust models require dynamic validation '
'mechanisms, not static approvals.',
'Supply chain risks in AI/ML ecosystems extend beyond '
'traditional software dependencies.',
'MCP and similar LLM integration protocols need robust '
'change-detection safeguards.',
'Developer tools with LLM integration create new attack '
'surfaces for code execution.',
'Static approval mechanisms for AI configurations are '
'insufficient against dynamic threats.'],
'post_incident_analysis': {'corrective_actions': ['Implemented dynamic '
're-approval for MCP '
'configuration changes '
'(Cursor v1.3).',
'Enhanced validation of MCP '
'file integrity during '
'runtime.',
'Added warnings for MCP '
'configurations from '
'untrusted sources.',
'Improved documentation on '
'secure MCP usage in '
'collaborative '
'environments.'],
'root_causes': ['Static trust model for MCP '
'configurations (one-time approval '
'persisted indefinitely).',
'Lack of change detection for '
'approved AI tool configurations.',
'Over-reliance on repository '
'integrity for AI configuration '
'files.',
'Insufficient isolation between '
'collaborative code and AI tool '
'configurations.']},
'recommendations': ['Implement runtime integrity checks for AI configuration '
'files (e.g., MCP).',
'Adopt zero-trust principles for AI tool integrations in '
'development workflows.',
'Monitor for anomalous behavior in LLM-assisted code '
'generation/outputs.',
'Conduct regular security audits of AI/ML supply chain '
'dependencies.',
'Educate developers on emerging AI-specific threats '
'(e.g., prompt injection, model poisoning).',
'Isolate AI tool configurations from shared repositories '
'when possible.',
'Deploy behavioral detection for AI tool interactions '
'(e.g., unexpected code execution).'],
'references': [{'source': 'Check Point Research Advisory'},
{'source': 'Cursor Security Advisory (v1.3)'},
{'source': 'Anthropic MCP Standard Documentation'},
{'source': 'Pillar Security Analysis on AI Jailbreaks'}],
'response': {'communication_strategy': ['Public Advisory',
'Responsible Disclosure Coordination'],
'containment_measures': ['Patch Release (Cursor v1.3)',
'Re-approval Requirement for MCP '
'Configurations'],
'incident_response_plan_activated': True,
'remediation_measures': ['Codebase Audit',
'Trust Model Redesign for MCP '
'Configurations'],
'third_party_assistance': ['Check Point Research']},
'stakeholder_advisories': ['Developers using Cursor < v1.3 urged to update '
'immediately',
'Organizations advised to audit MCP configurations '
'in shared repositories'],
'title': 'Remote Code Execution Vulnerability in Cursor AI (CVE-2025-54136 / '
'MCPoison)',
'type': ['Vulnerability',
'Remote Code Execution (RCE)',
'Supply Chain Attack',
'AI Security Flaw'],
'vulnerability_exploited': 'CVE-2025-54136 (MCPoison) - Trust Model Flaw in '
'MCP Configuration Handling'}