Tool Abuse / Excessive AgencyHigh

Cursor AI editor MCPoison and CurXecute RCE

August 2025  ·  Cursor AI code editor

What happened

MCPoison (CVE-2025-54136): once a user approves an MCP config, Cursor stops re-validating it, so an attacker can later swap in malicious code for persistent RCE. CurXecute (CVE-2025-54135): an indirect prompt injection could modify the global mcp.json and execute commands without confirmation.

Root cause

A one-time-approval trust model for MCP configs, plus the agent's ability to write executable config from untrusted external content.

Fix / outcome

Both issues were fixed by Cursor following coordinated disclosure.

Sources

Tenable FAQ

Learn this attack class

This incident is an example of Tool Abuse / Excessive Agency. Read the guide, then try it hands-on in the Academy.

Read the guide →Try the challenge

← Back to the Incident Database