Overview

• The CurXecute flaw (CVE-2025-54135) in Cursor’s Model Context Protocol auto-run allowed attackers to rewrite the ~/.cursor/mcp.json file and execute remote code under developer privileges, a vulnerability addressed in version 1.3 on July 29.
• Cursor replaced its denylist-based protections with an allowlist model for the auto-run feature after BackSlash Research and other teams demonstrated bypass techniques using encoding and shell obfuscation.
• HiddenLayer researchers showed that malicious instructions embedded in a GitHub README.md could hijack Cursor’s AI agent to exfiltrate SSH keys and internal prompts through tool-combination attacks.
• Experts warn that prompt-injection patterns are intrinsic to AI agents that bridge external data sources and internal execution, leaving similar tools vulnerable to ransomware, data theft and hallucination risks.
• Users are urged to upgrade to Cursor v1.3 immediately and implement stricter guardrails as comparable vulnerabilities surface in other AI-assisted coding tools such as Google’s Gemini CLI.