Cursor — Security Profile
Product Overview
Cursor is an AI-powered IDE forked from VS Code, developed by Anysphere. It deeply integrates LLMs (GPT-4, Claude) for code generation, editing, and agentic task execution. Its attack surface is uniquely broad because it combines traditional IDE risks, AI agent risks, MCP integration risks, and inherited Chromium/Electron vulnerabilities.
| Component | Description | Attack Surface |
|---|---|---|
| Cursor Editor | VS Code fork with AI agent integration | RCE via workspace files, prompt injection, config manipulation |
| Cursor Agent | AI agent that reads code, writes files, executes commands | Prompt injection → file write → code execution chains |
| MCP Integration | Model Context Protocol server support | MCP config poisoning, trust bypass, persistent RCE |
| Chromium/Electron Runtime | Underlying browser engine | 94+ inherited CVEs from outdated Chromium builds |
| Extensions | VS Code extension ecosystem | Extension vulnerabilities affect Cursor (Live Server, Code Runner, etc.) |
Cursor Agent & IDE Vulnerabilities
CVE Table — Cursor-Specific Flaws
| CVE | Severity | CWE | Description | Fixed In | Control |
|---|---|---|---|---|---|
| CVE-2025-54135 (CurXecute) | 8.6 (High) | CWE-94 | RCE via MCP auto-start. When an external MCP server is configured, an attacker can use the Agent to rewrite .cursor/mcp.json. With "Auto-Run" enabled, malicious commands execute immediately without user approval. | v1.3 | Disable Auto-Run for MCP commands; audit .cursor/mcp.json before opening shared projects; require explicit approval for all MCP changes |
| CVE-2025-54136 (MCPoison) | High | CWE-284 | Persistent RCE via MCP trust bypass. Attacker adds benign MCP config to shared repo, waits for victim to approve it, then replaces config with malicious payload. Once approved, the config is trusted indefinitely — even after modification. | v1.3 | Re-approve MCP configs after any modification; implement hash-based config integrity checks; review MCP configs on every git pull |
| CVE-2025-59944 | 8.1 (High) | CWE-178 | Case-sensitivity bypass in file protection. On Windows/macOS (case-insensitive filesystems), crafted inputs using different casing bypass protections on sensitive files like .cursor/mcp.json. | v1.7 | Update to v1.7+; normalize file paths case-insensitively in all validation logic |
| CVE-2025-61590 | 7.5 (High) | CWE-78 | RCE via VS Code Workspace file manipulation. Prompt injection through a compromised MCP server causes the Agent to write into .code-workspace files, modifying workspace settings to achieve code execution. Bypasses CVE-2025-54130 fix. | v1.7 | Restrict Agent file write permissions to exclude workspace config files; monitor .code-workspace modifications |
| CVE-2025-61591 | 8.8 (High) | CWE-287 | Malicious MCP server impersonation via OAuth. Attacker creates a malicious MCP server that mimics a legitimate one through OAuth flows, gaining trusted execution within Cursor. | Patch 2025.09.17 | Validate MCP server identity beyond OAuth tokens; implement MCP server allowlisting |
| CVE-2025-61592 | 7.5 (High) | CWE-78 | RCE via malicious project CLI configuration. Prompt injection enables writing to Cursor CLI config files that execute on startup. | Patch 2025.09.17 | Monitor CLI config file modifications; sandbox Cursor startup execution |
| CVE-2025-61593 | 7.5 (High) | CWE-78 | CLI agent file modification leading to RCE. Agent can be prompted to modify files that control CLI behavior, achieving persistent code execution. | Patch 2025.09.17 | Restrict Agent write access to CLI configuration paths; file integrity monitoring on Cursor config directories |
Attack Chains
MCP Poisoning (CurXecute):
Attacker configures external MCP server (e.g., Slack)
→ MCP server returns prompt injection payload in response data
→ Cursor Agent processes injected instructions
→ Agent rewrites ~/.cursor/mcp.json to include malicious MCP entry
→ With Auto-Run enabled, malicious commands execute immediately
→ Attacker achieves persistent RCE on developer's machine
Supply Chain via MCPoison:
Attacker commits benign .cursor/mcp.json to shared GitHub repo
→ Developer clones repo, opens in Cursor, approves MCP config
→ Attacker updates .cursor/mcp.json with malicious payload via new commit
→ Developer pulls latest code
→ Cursor trusts the previously-approved config — no re-approval needed
→ Malicious MCP commands execute automatically on every Cursor launch
→ Persistent RCE across all future sessions
Workspace Manipulation Chain:
Developer connects to compromised/malicious MCP server
→ MCP server returns prompt injection via tool output
→ Cursor Agent writes to .code-workspace file
→ Workspace settings modified to execute attacker's code
→ Code runs with developer's full privileges
Inherited Chromium Vulnerabilities
Cursor is built on an outdated VS Code fork that bundles an old Electron release, which embeds an outdated Chromium and V8 engine. As of late 2025, OX Security documented 94+ known CVEs in Cursor's Chromium build that have been patched upstream but not in Cursor.
Notable Inherited CVEs
| CVE | Component | Severity | Description | Status in Cursor |
|---|---|---|---|---|
| CVE-2025-4609 | Chromium IPC (ipcz) | Critical | Sandbox escape — compromised renderer gains browser process handles. Earned $250K Google bounty. | Unpatched as of research date |
| CVE-2025-7656 | V8 JIT (Maglev) | High | Integer overflow in V8. OX Security weaponized this against Cursor via deeplink exploit. | Unpatched as of research date |
| CVE-2025-5419 | V8 Engine | High | Out-of-bounds read/write. In CISA KEV (confirmed exploited in the wild). | Unpatched as of research date |
| CVE-2025-6554 | V8 Engine | High | Type confusion. In CISA KEV (confirmed exploited in the wild). | Unpatched as of research date |
| CVE-2025-4664 | Chromium | High | Cross-origin data leak. Confirmed by Google as actively exploited. Enables account takeover. | Unpatched as of research date |
Why This Matters
These aren't theoretical — CISA has added several of these to the Known Exploited Vulnerabilities catalog, confirming active exploitation in the wild. The exploitation path demonstrated by OX Security:
Attacker crafts deeplink URL → triggers Cursor to open
→ Deeplink injects prompt telling Cursor's browser to visit attacker URL
→ Attacker's page serves JavaScript exploiting CVE-2025-7656
→ V8 integer overflow triggers → renderer crash / potential RCE
Control
The only effective control is for Anysphere to update Chromium. As an end user, you cannot patch this yourself. Mitigations:
- Run Cursor in an isolated VM or container for untrusted work
- Don't click deeplinks from untrusted sources
- Monitor for Cursor updates and apply immediately
- Consider using standard VS Code (which receives regular Chromium updates) for sensitive projects
Workspace Trust Vulnerability
Cursor ships with VS Code's Workspace Trust feature disabled by default. This means .vscode/tasks.json files with runOptions.runOn: "folderOpen" auto-execute the moment a developer opens a project folder — no prompt, no consent.
| Risk | Description | Control |
|---|---|---|
| Silent code execution on folder open | Malicious .vscode/tasks.json runs arbitrary commands when project is opened | Enable Workspace Trust in settings; set task.allowAutomaticTasks: "off" |
| Supply chain via shared repos | Attacker commits malicious tasks.json to any repository the developer might clone | Audit .vscode/ directory in all cloned repos; open untrusted repos in containers |
VS Code Extension Vulnerabilities (Shared with Cursor)
Because Cursor is a VS Code fork, it inherits vulnerabilities in VS Code extensions:
| CVE | Extension | Downloads | Description | Control |
|---|---|---|---|---|
| CVE-2025-65717 | Live Server | 72M+ | Remote unauthenticated file exfiltration. Attacker sends malicious link while Live Server runs in background. | Disable Live Server when not actively using it; restrict to localhost only |
| CVE-2025-65716 | Markdown Preview Enhanced | 8.5M+ | Arbitrary JavaScript execution via crafted Markdown files. Can scan local network and exfiltrate data. | Avoid previewing untrusted Markdown; disable HTML rendering in preview |
| CVE-2025-65715 | Code Runner | 37M+ | Arbitrary code execution via settings.json manipulation through social engineering. | Don't modify settings.json based on external instructions; review all settings changes |
Hardening Recommendations
Immediate Actions
□ Update Cursor to the latest version
□ Enable Workspace Trust: Settings → search "trust" → enable
□ Set task.allowAutomaticTasks: "off"
□ Audit .cursor/mcp.json in all projects
□ Audit .vscode/tasks.json in all projects
□ Disable Auto-Run for MCP servers
□ Remove unused extensions
Organizational Controls
□ Mandate Cursor updates via endpoint management
□ Deploy file integrity monitoring on .cursor/ and .vscode/ directories
□ Block deeplink execution from untrusted sources
□ Run Cursor in containers/VMs for untrusted repositories
□ Monitor for unexpected child processes spawned by Cursor
□ Maintain an approved MCP server allowlist
□ Consider using standard VS Code for high-security projects
□ Log and alert on MCP configuration changes
What to Test in Engagements
Cursor Red Team Checklist
□ MCP config injection — can you write to .cursor/mcp.json via prompt injection?
□ MCP trust persistence — does a modified config retain approval?
□ Workspace Trust bypass — does .vscode/tasks.json auto-execute on folder open?
□ Agent file write scope — can the Agent write to config files?
□ Deeplink exploitation — can deeplinks trigger browser navigation?
□ Case-sensitivity bypass — test file protection with mixed-case paths
□ Extension vulnerability testing — Live Server, Code Runner, Markdown Preview
□ Workspace file manipulation — can prompt injection modify .code-workspace?
□ OAuth MCP impersonation — can a rogue server gain trusted MCP status?
□ Chromium version check — what Chromium version is bundled?
□ Prompt injection via MCP tool output — can external tools inject instructions?