Opened Slack — Got a Shell: Critical Vulnerability in AI-Powered Cursor Editor
A critical flaw in the Cursor code editor allows silent attacks — no attachments, no malware, no links required.
A critical flaw in the Cursor code editor allows silent attacks — no attachments, no malware, no links required.
A serious security vulnerability has been discovered in the Cursor IDE, an AI-assisted code editor designed to help developers write and manage code. The flaw, dubbed CurXecute and assigned CVE-2025-54135, affects nearly all versions of the editor and enables remote command execution with user privileges — all it takes is a malicious request sent to the agent.
Root of the Issue: AI and MCP
Cursor uses a protocol called the Model Context Protocol (MCP) to let its AI assistant interact with external data sources like Slack, GitHub, or databases, executing commands based on natural language input. According to Aim Security, this very integration with external systems introduces a major weakness: the agent processes untrusted data that can alter its behavior.
The core of the vulnerability lies in prompt injection — a technique where specially crafted text manipulates an AI into executing unintended commands. Similar flaws have been seen before, like in Microsoft 365 Copilot, where attackers could extract sensitive data through prompt-based attacks.
Even more concerning: AI-generated code often contains subtle bugs or security holes that developers might overlook, making exploitation even easier.
How the Exploit Works
Cursor stores MCP configurations in ~/.cursor/mcp.json, a project-level config file. Researchers found that modifying this file takes effect immediately, even if the user rejects the AI’s proposed edits. An attacker can leverage this to inject malicious instructions via any external source connected through MCP.
One attack scenario:
- Attacker posts a poisoned message in a Slack channel connected to a Cursor project.
- The user opens the chat and asks the AI to summarize the conversation.
- The agent processes the content and silently writes malicious config values to disk — for example, a shell command or script execution.
- The result: remote code execution without any manual action by the user.
What's at Risk
Any MCP-connected service processing untrusted data is vulnerable — including:
- Task management systems
- Support platforms
- Search engines
- Public Slack/GitHub threads
Even a single prompt injection can turn your local AI agent into a remote access tool.
Potential consequences include:
- Ransomware installation
- Data theft
- Logic corruption via misleading AI suggestions
- Dependency hijacking (slopsquatting)
Response and Mitigation
- Vulnerability reported to Cursor on July 7, 2025
- Initial fix landed in the main branch the next day
- Final patch shipped on July 29 with Cursor 1.3
The issue received a CVSS score of 8.6 (high severity), although officially categorized as “medium risk” due to user-level execution constraints.
AI-enhanced tools like Cursor boost productivity — but they also introduce new threat surfaces. When your IDE starts talking to the internet, make sure it knows who it’s talking to.
