Cyber Resilience

CVE-2025-54136

HighRCE

Published: 02 August 2025

Published
02 August 2025
Modified
25 August 2025
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0077 74.0th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-54136 is a high-severity OS Command Injection (CWE-78) vulnerability in Anysphere Cursor. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Supply Chain (T1195.002); ranked in the top 26.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Supply Chain and Deployment risk domain.

The strongest mitigations our analysis identified are NIST 800-53 CM-5 (Access Restrictions for Change) and SI-7 (Software, Firmware, and Information Integrity).

Deeper analysis

CVE-2025-54136 affects Cursor, a code editor built for programming with AI, in versions 1.2.4 and below. The vulnerability enables remote and persistent code execution by modifying an already trusted MCP configuration file within a shared GitHub repository or by editing the file locally on the target's machine. Classified under CWE-78 (OS Command Injection) with a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), it was published on 2025-08-02.

Attackers can exploit this if they have write permissions on a user's active branches in a source repository containing existing MCP servers the user has previously approved, or if they have arbitrary local file-write access on the target machine. In such scenarios, after a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt, achieving arbitrary code execution.

The vulnerability is fixed in Cursor version 1.3. Additional details are available in the security advisory at https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395.

EU & UK References

Vulnerability details

Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file…

more

locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. This is fixed in version 1.3.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Supply Chain and Deployment
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, mcp

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.002 Compromise Software Supply Chain Initial Access
Adversaries may manipulate application software prior to receipt by a final consumer for the purpose of data or system compromise.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Vulnerability enables supply chain compromise (T1195.002) via modification of trusted MCP configs in shared GitHub repos and exploitation for client execution (T1203) in the Cursor code editor, achieving remote persistent arbitrary code execution.

CVEs Like This One

CVE-2025-61591Same product: Anysphere Cursor
CVE-2025-64106Same product: Anysphere Cursor
CVE-2025-54135Same product: Anysphere Cursor
CVE-2025-59944Same product: Anysphere Cursor
CVE-2026-31854Same product: Anysphere Cursor
CVE-2025-61593Same product: Anysphere Cursor
CVE-2025-61592Same product: Anysphere Cursor
CVE-2026-26268Same product: Anysphere Cursor
CVE-2026-22708Same product: Anysphere Cursor
CVE-2025-64108Same product: Anysphere Cursor

Affected Assets

anysphere
cursor
≤ 1.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

preventdetect

Requires integrity verification of the MCP configuration file so that silent replacement of a previously trusted entry with a malicious command is detected or blocked before execution.

prevent

Enforces access restrictions on who can modify configuration files, directly limiting an attacker’s ability to alter an already-approved MCP entry in the repository or on disk.

prevent

Enforces access-control policy on the MCP configuration file so that write access is granted only to authorized subjects, preventing unauthorized substitution after initial trust.

References