CVE-2025-54135
Published: 05 August 2025
Summary
CVE-2025-54135 is a high-severity OS Command Injection (CWE-78) vulnerability in Anysphere Cursor. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 31.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the LLM/Generative AI Risks risk domain.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations to prevent unauthorized creation and writing of sensitive workspace files like .cursor/mcp.json without user approval.
Validates inputs to the AI context to block indirect prompt injection attacks that hijack functionality and trigger malicious file writes.
Restricts code editor and AI components to least privilege, preventing escalation to RCE via unauthorized sensitive file operations.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability in Cursor code editor enables unauthorized creation of workspace dotfiles (e.g., .cursor/mcp.json) without user approval, chained with indirect prompt injection to achieve RCE, directly facilitating Exploitation for Client Execution.
NVD Description
Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence,…
more
if sensitive MCP files, such as the .cursor/mcp.json file don't already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9.
Deeper analysisAI
CVE-2025-54135 is a high-severity vulnerability (CVSS 8.5) affecting Cursor, an AI-powered code editor for programming, in versions prior to 1.3.9. The issue stems from the editor's permission model, which allows writing files directly in the workspace without user approval. While editing existing dotfiles requires approval, creating new ones does not. This enables attackers to target sensitive files like .cursor/mcp.json if they do not already exist, chained with an indirect prompt injection vulnerability (related to CWE-78 OS command injection and CWE-829 inclusion of functionality from untrusted sources) to hijack the AI context and write malicious settings.
An attacker with low privileges (PR:L) can exploit this over the network (AV:N) with high attack complexity (AC:H) and no user interaction (UI:N), achieving scope change (S:C) with high impacts on confidentiality, integrity, and availability (C:I:A:H). By leveraging indirect prompt injection, the attacker hijacks the AI context to create and write to the .cursor/mcp.json settings file, triggering remote code execution (RCE) on the victim's machine without any approval prompts.
The GitHub Security Advisory (GHSA-4cxx-hrm3-49rm) confirms the vulnerability was fixed in Cursor version 1.3.9 by addressing the file write permissions and prompt injection chaining. Security practitioners should urge users to update to 1.3.9 or later and review workspaces for non-existent sensitive dotfiles that could be targeted.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- LLM/Generative AI Risks
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Cursor is an AI-powered code editor designed for programming with AI features, fitting the Enterprise AI Assistants category as it integrates AI assistance directly into development workflows.