CVE-2025-54136
Published: 02 August 2025
Summary
CVE-2025-54136 is a high-severity OS Command Injection (CWE-78) vulnerability in Anysphere Cursor. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 26.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-7 (Software, Firmware, and Information Integrity).
Deeper analysis
CVE-2025-54136 affects Cursor, a code editor built for programming with AI, in versions 1.2.4 and below. The vulnerability enables remote and persistent code execution by modifying an already trusted MCP configuration file within a shared GitHub repository or by editing the file locally on the target's machine. Classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), it was published on 2025-08-02.
Attackers can exploit this if they have write permissions on a user's active branches in a source repository containing existing MCP servers the user has previously approved, or if they have arbitrary local file-write access on the target machine. In such scenarios, after a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt, achieving arbitrary code execution.
The vulnerability is fixed in Cursor version 1.3. Additional details are available in the security advisory at https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-23405
Vulnerability details
Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file…
more
locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. This is fixed in version 1.3.
- CWE(s)
AI Security AnalysisAI
- AI Category
- Enterprise AI Assistants
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- Matched keywords: ai, mcp
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables supply chain compromise (T1195.002) via modification of trusted MCP configs in shared GitHub repos and exploitation for client execution (T1203) in the Cursor code editor, achieving remote persistent arbitrary code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires integrity verification of the MCP configuration file so that silent replacement of a previously trusted entry with a malicious command is detected or blocked before execution.
Enforces access restrictions on who can modify configuration files, directly limiting an attacker’s ability to alter an already-approved MCP entry in the repository or on disk.
Enforces access-control policy on the MCP configuration file so that write access is granted only to authorized subjects, preventing unauthorized substitution after initial trust.