CVE-2025-54135
BaseFortify
Publication date: 2025-08-05
Last updated on: 2025-08-25
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anysphere | cursor | to 1.3.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-54135 is a high-severity vulnerability in Cursor versions up to 1.2.1 where the software allows writing files within the workspace without user approval. While editing existing dotfiles requires approval, creating new dotfiles does not. An attacker can exploit this by chaining it with an indirect prompt injection vulnerability to hijack the context and write to sensitive MCP configuration files like `.cursor/mcp.json` without user consent. This enables the attacker to add a malicious MCP server and achieve arbitrary code execution (RCE) on the victim's host. The vulnerability involves unsafe use of externally influenced input in OS commands and importing executable code from untrusted sources. It is network-based, requires low privileges, no user interaction, and affects confidentiality, integrity, and availability. [1]
How can this vulnerability impact me? :
This vulnerability can lead to an attacker executing arbitrary code on your system without your approval, compromising the confidentiality, integrity, and availability of your data and system. Because the attacker can write to sensitive configuration files and trigger remote code execution, your system could be fully compromised, allowing unauthorized access, data theft, or disruption of services. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection can focus on identifying unauthorized creation or modification of MCP-sensitive files like `.cursor/mcp.json` within the workspace, especially if these files did not previously exist. Monitoring file system changes for new dotfiles in the Cursor workspace directory is recommended. Additionally, inspecting Cursor versions below 1.3.9 can help identify vulnerable installations. Specific commands might include using file system monitoring tools such as `inotifywait` on Linux to watch for creation of `.cursor/mcp.json` or other dotfiles, for example: `inotifywait -m -e create,modify /path/to/cursor/workspace/.cursor/` and checking the installed Cursor version with `cursor --version` or inspecting the installed package version. Network monitoring for suspicious activity related to MCP server connections could also be useful, but no explicit commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Cursor to version 1.3.9 or later, where the vulnerability is fixed by blocking the agent from writing MCP-sensitive files without explicit user approval. Until the upgrade can be applied, restrict access to the Cursor workspace to trusted users only, monitor for unauthorized file creation or modification, and consider disabling network access to Cursor if possible to reduce attack surface. [1]