CVE-2025-54135

Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file don't already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9.

CVSS v3 8.5 HIGH

8.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 1.8 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/cursor/cursor/security/advisories/GHSA-4cxx-hrm3-49rm	Vendor Advisory Mitigation

Configurations

Configuration 1 (hide)

cpe:2.3:a:anysphere:cursor:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-08-05 01:15

Updated : 2025-08-25 01:36

NVD link : CVE-2025-54135

Mitre link : CVE-2025-54135

CVE.ORG link : CVE-2025-54135

JSON object : View

Products Affected

anysphere

cursor

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

{"id": "CVE-2025-54135", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 1.8}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2025-08-05T01:15:41.410", "references": [{"url": "https://github.com/cursor/cursor/security/advisories/GHSA-4cxx-hrm3-49rm", "tags": ["Vendor Advisory", "Mitigation"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-829"}]}], "descriptions": [{"lang": "en", "value": "Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file don't already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9."}, {"lang": "es", "value": "Cursor es un editor de c\u00f3digo dise\u00f1ado para programar con IA. En versiones anteriores a la 1.3.9, Cursor permite escribir archivos en el espacio de trabajo sin la aprobaci\u00f3n del usuario. Si el archivo es un archivo de puntos, editarlo requiere aprobaci\u00f3n, pero crear uno nuevo no. Por lo tanto, si no existen archivos MCP sensibles, como el archivo .cursor/mcp.json, en el espacio de trabajo, un atacante puede encadenar una vulnerabilidad de inyecci\u00f3n indirecta de solicitud para secuestrar el contexto y escribir en el archivo de configuraci\u00f3n, lo que activar\u00e1 una RCE en la v\u00edctima sin la aprobaci\u00f3n del usuario. Esto se corrigi\u00f3 en la versi\u00f3n 1.3.9."}], "lastModified": "2025-08-25T01:36:47.557", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:anysphere:cursor:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "17297CB2-0B98-497A-8796-F7F09E9B9876", "versionEndExcluding": "1.3.9"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}