When AI code assistants misbehave, trust cracks.
A critical flaw in the Cursor AI code editor, dubbed CurXecute (CVE‑2025‑54135, CVSS 8.6), has been patched in version 1.3 released on July 29, 2025. This vulnerability allowed attackers to trigger remote code execution via a malicious prompt injection interacting through MCP servers.
What Went Wrong
Cursor’s Agent leverages the Model Control Protocol (MCP) to connect with external services-like Slack or GitHub. Because MCP entries auto‑run and edits to the global ~/.cursor/mcp.json file execute immediately-even if rejected by the user-an attacker could inject shell commands via a Slack message into a public channel.
The result: silent modification of the configuration file, followed by execution of arbitrary commands under developer‑level privileges. Potential impacts include ransomware deployment, data exfiltration, or AI hallucination attacks affecting code output and integrity.
Correction and Mitigation
Cursor addressed the issue in version 1.3, released on July 29, 2025. The update also blocked bypass techniques that exploited denylist logic via encoded shell commands or wrapper scripts. Users are strongly advised to upgrade immediately .
Conclusion
The CurXecute vulnerability underscores a fundamental risk: AI‑enabled development tools, especially those that integrate with external systems, must not implicitly trust external input. As tools such as Cursor gain adoption, organizations must evaluate the security implications of agent‑based workflows and treat code generation pipelines as potential attack surfaces.
Proper patching, configuration validation, and threat detection around AI agents are no longer optional-they are essential.
About COE Security
At COE Security, we partner with enterprise teams across technology, financial services, healthcare, education, and telecommunications to secure emerging platforms. Our services include:
- Risk assessment and threat modelling for AI-integrated DevOps environments
- Secure configuration validation and patch management
- Detection and response for suspicious agent and prompt-based activity
- Incident response, SIEM tuning, and threat hunting for development‑adjacent threats
- Compliance support for frameworks like GDPR, NIS 2, and ISO 27001
In response to vulnerabilities like CurXecute, COE Security helps clients by:
- Conducting assessments of AI code‑editor deployments and external integrations
- Designing control architectures to prevent unauthorized MCP entry execution
- Deploying monitoring to detect anomalous prompts or file writes in IDE environments
- Building policy enforcement via CI/CD pipelines and secure onboarding workflows.