Breachwire.riscent

Breach report

CurXecute: a Slack message that rewrote Cursor's MCP config into remote code execution

AI & LLM BreachesHigh (CVSS 8.6)CVE-2025-541352025-08
The bottom lineAn indirect prompt injection reaching Cursor through an MCP server could rewrite the agent's mcp.json configuration and trigger command execution before the user could even reject the change.
Category
AI & LLM Breaches
Type
CVE · Named incident (Cursor)
Date
2025-08
Severity
High (CVSS 8.6)
OWASP
LLM01 Prompt Injection; LLM06 Excessive Agency; LLM05 Improper Output Handling
CWE / CVE
CWE-78 CVE-2025-54135

What happened

Cursor is an AI-powered code editor that can connect to external tools through the Model Context Protocol (MCP). A vulnerability tracked as CVE-2025-54135 and nicknamed CurXecute allowed an attacker to turn an untrusted MCP data source into remote code execution on the developer's machine.

The attack relied on indirect prompt injection through an MCP server connected to a service such as Slack. A crafted message, once ingested by the agent, could drive Cursor to modify its global mcp.json configuration file. Because a newly written MCP server entry could carry a command, the injected configuration led to command execution — and, as the disclosure notes, Cursor executed it "even before the user has a chance to reject the suggested edits," collapsing the human-in-the-loop safeguard. The issue affected Cursor versions 1.2.4 and below and was fixed in version 1.3. It carried a CVSS score in the high range.

Root cause

  • LLM01 Prompt Injection (indirect). Content arriving through an MCP server was treated as trusted instruction, letting an attacker steer the agent's actions.
  • LLM06 Excessive Agency. The agent could rewrite its own tool configuration — a security-critical file — without a firm approval gate.
  • LLM05 Improper Output Handling. A model-influenced write into mcp.json flowed straight into command execution, with no validation between the model's output and a shell.

How it would have been caught

An agentic red-team test that feeds a poisoned MCP message and then checks whether mcp.json changed — or whether any command executed — would have surfaced the flaw. File-integrity monitoring on the MCP configuration and a policy that no config write executes without explicit, blocking user approval are the load-bearing checks. Injection generators such as PyRIT or Promptfoo drive the input side.

How to prevent it

  • Treat all MCP tool output as untrusted data, never as instructions that can reconfigure the agent.
  • Make the MCP configuration file read-only to the agent, or require an out-of-band, blocking confirmation before any write takes effect.
  • Never let a configuration write auto-execute — separate "propose" from "apply," and validate proposed commands before they can run.

The Breachwire test (red → green)

Feed a poisoned MCP message and confirm the agent rewrites mcp.json and executes a command (the RED control proving RCE is reachable). Apply config write-protection and a blocking approval gate, then confirm the same message cannot alter the config or run code, while a legitimate, user-approved MCP configuration change still works (the positive control).