cbcvebase.
CVE-2025-54136
published 2025-08-02

CVE-2025-54136: Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an…

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
7.53%
93.7th percentile
Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. This is fixed in version 1.3.

Affected

2 ranges
VendorProductVersion rangeFixed in
anyspherecursor< 1.31.3
cursorcursor< 1.31.3

Detection & IOCsextracted from sources · hover to see the quote

path.cursor/rules/mcp.json
path.cursor/
filenameshell.bat
  • Monitor for modifications to .cursor/rules/mcp.json in Git repositories, especially changes to the 'command' or 'args' fields of existing named MCP entries after an initial commit, which may indicate a trust-bypass attack.
  • Alert on Cursor IDE spawning unexpected child processes (e.g., cmd.exe, reverse shells, or .bat files) from MCP configuration execution, particularly on project open or repository sync events.
  • In collaborative/shared Git repository environments, audit .cursor/ directory files for unexpected changes introduced by contributors with write access to active branches.
  • Flag execution of shell.bat or similarly named batch files spawned as children of the Cursor IDE process, as this matches the documented reverse shell payload delivery method.
  • ·The vulnerability is fixed in Cursor version 1.3 (released July 29, 2025). After the patch, any change to an MCP configuration — including minor edits — triggers a mandatory re-approval prompt. Environments still running Cursor 1.2.4 or below remain fully exposed.
  • ·The attack requires either write access to a shared Git repository branch containing a previously approved MCP, or local arbitrary file-write capability — it is not exploitable without one of these preconditions.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.