A critical security vulnerability, dubbed MCPoison, has been discovered in the AI-powered code editor Cursor, potentially allowing attackers to execute arbitrary code remotely. The flaw exploits how Cursor handles modifications to Model Context Protocol (MCP) server configurations, posing a serious risk to developers and organizations.

Key Takeaways

• A remote code execution (RCE) vulnerability, CVE-2025-54136, has been found in the Cursor AI code editor.

• The vulnerability, named MCPoison, allows attackers to replace approved MCP configurations with malicious payloads.

• Cursor has released version 1.3 to address the issue by requiring re-approval for MCP configuration changes.

• This incident highlights broader security concerns surrounding AI-assisted development tools and AI supply chains.

The MCPoison Vulnerability Explained

The vulnerability, officially tracked as CVE-2025-54136 with a CVSS score of 7.2, was disclosed by Check Point Research. MCPoison leverages a weakness in Cursor's handling of Model Context Protocol (MCP) configurations. MCP is an open standard developed by Anthropic that enables large language models (LLMs) to interact with external tools and services.

The attack chain involves an attacker first adding a seemingly benign MCP configuration file to a shared repository. Once a collaborator pulls the code and approves this configuration within Cursor, the attacker can then silently replace the approved file with a malicious payload. This could include commands to launch scripts or establish backdoors, executing without further user intervention or warnings.

"Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt," Cursor stated in an advisory.

The core issue lies in Cursor's trust model: once an MCP configuration is approved, it is trusted indefinitely by the editor, even if subsequently modified. This opens the door to significant supply chain risks, data theft, and intellectual property compromise.

Patch and Broader Implications

Following responsible disclosure on July 16, 2025, Cursor addressed the vulnerability in version 1.3, released in late July 2025. The fix requires users to re-approve any modifications made to the MCP configuration file, thereby mitigating the risk of silent payload injection.

"The flaw exposes a critical weakness in the trust model behind AI-assisted development environments, raising the stakes for teams integrating LLMs and automation into their workflows," noted Check Point.

This discovery comes shortly after other security weaknesses were found in AI tools, also patched in version 1.3, which could have led to RCE and bypasses of security protections. The findings underscore the growing security challenges associated with the increasing adoption of AI in business workflows, including code generation. Risks such as AI supply chain attacks, unsafe code generation, model poisoning, and data leakage are becoming more prominent.

Recent studies indicate that a significant percentage of AI-generated code fails security tests, introducing common vulnerabilities. Furthermore, novel attack vectors like prompt injection via legal disclaimers (LegalPwn), covert data extraction through browser extensions (man-in-the-prompt), and manipulation of LLM logic (Fallacy Failure) highlight the evolving threat landscape. Attacks targeting multi-agent systems (MAS hijacking) and AI model inference pipelines (Poisoned GGUF Templates) also demonstrate the sophisticated nature of these emerging risks.

As LLMs become more integrated into development tools and enterprise workflows, the potential for cascading failures across interconnected systems increases. Experts emphasize that AI security requires a new paradigm, as these attacks often bypass traditional security measures by exploiting the inherent language and reasoning capabilities of AI models.

Sources

• Cursor AI Code Editor Vulnerability Enables RCE via Malicious MCP File Swaps Post Approval, The Hacker News.