CVE-2025-61591
BaseFortify
Publication date: 2025-10-03
Last updated on: 2025-10-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| anysphere | cursor | to 1.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Cursor, a code editor that uses AI. In versions 1.7 and below, when the MCP component uses OAuth authentication with an untrusted MCP server, an attacker can impersonate a malicious MCP server and send specially crafted commands. These malicious commands can be injected during the interaction process, leading to command injection and potentially remote code execution on the host system.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code on your system with the same privileges as the user running the Cursor agent. This means the attacker could fully compromise your system by running malicious commands, potentially leading to data loss, system damage, or unauthorized access.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, avoid using OAuth authentication with untrusted MCP servers. Apply the available patch 2025.09.17-25b418f as soon as possible once it is available. Additionally, restrict the use of MCP services to trusted servers only to prevent malicious command injection.