CVE-2025-54136
Published: 02 August 2025
Summary
CVE-2025-54136 is a high-severity OS Command Injection (CWE-78) vulnerability in Anysphere Cursor. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked at the 32.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Other Platforms; in the Supply Chain and Deployment risk domain.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables supply chain compromise (T1195.002) via modification of trusted MCP configs in shared GitHub repos and exploitation for client execution (T1203) in the Cursor code editor, achieving remote persistent arbitrary code execution.
NVD Description
Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file…
more
locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. This is fixed in version 1.3.
Deeper analysisAI
CVE-2025-54136 affects Cursor, a code editor built for programming with AI, in versions 1.2.4 and below. The vulnerability enables remote and persistent code execution by modifying an already trusted MCP configuration file within a shared GitHub repository or by editing the file locally on the target's machine. Classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), it was published on 2025-08-02.
Attackers can exploit this if they have write permissions on a user's active branches in a source repository containing existing MCP servers the user has previously approved, or if they have arbitrary local file-write access on the target machine. In such scenarios, after a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt, achieving arbitrary code execution.
The vulnerability is fixed in Cursor version 1.3. Additional details are available in the security advisory at https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Cursor is a code editor explicitly built for programming with AI, integrating AI features for coding assistance, which aligns with Enterprise AI Assistants. The vulnerability exploits MCP configuration files for remote code execution in this AI-enhanced development environment.