CVE-2025-61591

HighRCE

Published: 03 October 2025

Published

03 October 2025

Modified

17 October 2025

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0013 31.2th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-61591 is a high-severity OS Command Injection (CWE-78) vulnerability in Anysphere Cursor. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 31.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Other Platforms; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SA-9 (External System Services) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Command and Scripting Interpreter (T1059) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the command injection vulnerability by requiring timely application of the available patch (2025.09.17-25b418f) to Cursor versions 1.7 and below.

SI-10 Information Input Validation good match

prevent

Prevents command injection by enforcing validation of untrusted inputs received from impersonated MCP servers during OAuth authentication interactions.

SA-9 External System Services good match

prevent

Restricts and authorizes the use of external MCP services via OAuth, ensuring only trusted servers are permitted to prevent impersonation attacks.

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution

Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.

attack.mitre.org →

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1557 Adversary-in-the-Middle Credential Access

Adversaries may attempt to position themselves between two or more networked devices using an adversary-in-the-middle (AiTM) technique to support follow-on behaviors such as [Network Sniffing](https://attack.

attack.mitre.org →

Why these techniques?

Vulnerability enables server impersonation (T1557) during OAuth to inject commands (T1059) for remote code execution via client application exploitation (T1203).

NVD Description

Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication with an untrusted MCP server, an attacker can impersonate a malicious MCP server and return crafted, maliciously injected commands during…

the interaction process, leading to command injection and potential remote code execution. If chained with an untrusted MCP service via OAuth, this command injection vulnerability could allow arbitrary code execution on the host by the agent. This can then be used to directly compromise the system by executing malicious commands with full user privileges. This issue does not currently have a fixed release version, but there is a patch, 2025.09.17-25b418f.

Deeper analysisAI

CVE-2025-61591 is a command injection vulnerability (CWE-78) affecting Cursor, an AI-powered code editor for programming, in versions 1.7 and below. The flaw occurs when the MCP component uses OAuth authentication with an untrusted MCP server, allowing an attacker to impersonate a malicious server and inject crafted commands during the authentication interaction process. This leads to potential remote code execution on the affected host.

An attacker with network access can exploit this vulnerability without prior privileges by tricking a user into authenticating via OAuth to a malicious MCP server (user interaction required, per CVSS UI:R). Successful exploitation enables arbitrary command injection by the agent, resulting in remote code execution with full user privileges on the host system, compromising confidentiality, integrity, and availability (CVSS 8.8: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

The GitHub security advisory at https://github.com/cursor/cursor/security/advisories/GHSA-wj33-264c-j9cq notes no fixed release version is available yet, but a patch (2025.09.17-25b418f) has been issued for remediation. Security practitioners should apply this patch promptly and avoid using untrusted MCP servers with OAuth in Cursor installations.

Cursor's integration of AI for programming introduces relevance to AI/ML workflows, as exploitation could target developer environments handling AI model code or data. No public reports of real-world exploitation are available as of the CVE publication on 2025-10-03.

Details

CWE(s): CWE-78

Affected Products

anysphere

cursor

≤ 1.7

AI Security AnalysisAI

AI Category: Other Platforms
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Cursor is an AI-powered code editor designed for programming with AI, functioning as an enterprise-level AI assistant for developers, with the vulnerability occurring in its integration with AI services via MCP OAuth authentication.

CVEs Like This One

CVE-2025-64106Same product: Anysphere Cursor

CVE-2025-54136Same product: Anysphere Cursor

CVE-2025-54135Same product: Anysphere Cursor

CVE-2026-31854Same product: Anysphere Cursor

CVE-2025-59944Same product: Anysphere Cursor

CVE-2025-61593Same product: Anysphere Cursor

CVE-2025-61592Same product: Anysphere Cursor

CVE-2026-26268Same product: Anysphere Cursor

CVE-2026-22708Same product: Anysphere Cursor

CVE-2025-64108Same product: Anysphere Cursor

References

https://github.com/cursor/cursor/security/advisories/GHSA-wj33-264c-j9cq
Vendor Advisory · security-advisories@github.com