Cyber Resilience

CVE-2025-64109

HighRCE

Published: 05 November 2025

Published
05 November 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0021 42.7th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-64109 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 42.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Enterprise AI Assistants; in the Protocol-Specific Risks risk domain.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-64109 is a remote code execution vulnerability (CWE-78) in the Cursor CLI Beta, a code editor designed for programming with AI. The flaw resides in the MCP (Model Context Protocol) server mechanism, where a malicious MCP configuration can be placed in a .cursor/mcp.json file within a GitHub repository. It affects versions prior to 2025.09.17-25b418f and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker who controls a GitHub repository can exploit this by uploading a malicious .cursor/mcp.json file. A victim using a vulnerable version of Cursor CLI Beta who clones the repository and opens the project will have the command to run the malicious MCP server executed immediately without any warning, enabling arbitrary code execution on the victim's machine.

The issue is addressed in Cursor version 2025.09.17-25b418f. Additional details are available in the vendor's security advisory at https://github.com/cursor/cursor/security/advisories/GHSA-4hwr-97q3-37w2.

EU & UK References

Vulnerability details

Cursor is a code editor built for programming with AI. In versions and below, a vulnerability in the Cursor CLI Beta allowed an attacker to achieve remote code execution through the MCP (Model Context Protocol) server mechanism by uploading a…

more

malicious MCP configuration in .cursor/mcp.json file in a GitHub repository. Once a victim clones the project and opens it using Cursor CLI, the command to run the malicious MCP server is immediately executed without any warning, leading to potential code execution as soon as the command runs. This issue is fixed in version 2025.09.17-25b418f.

CWE(s)

AI Security AnalysisAI

AI Category
Enterprise AI Assistants
Risk Domain
Protocol-Specific Risks
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai, mcp, model context protocol

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1195.001 Compromise Software Dependencies and Development Tools Initial Access
Adversaries may manipulate software dependencies and development tools prior to receipt by a final consumer for the purpose of data or system compromise.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Vulnerability enables RCE via malicious .cursor/mcp.json in GitHub repo, exploiting Cursor CLI's automatic command execution on project open, facilitating supply chain compromise of development tools/repos and client-side exploitation.

CVEs Like This One

CVE-2025-6514Shared CWE-78
CVE-2026-25546Shared CWE-78
CVE-2026-6942Shared CWE-78
CVE-2025-54382Shared CWE-78
CVE-2026-5059Shared CWE-78
CVE-2026-30635Shared CWE-78
CVE-2025-66401Shared CWE-78
CVE-2026-40933Shared CWE-78
CVE-2025-58371Shared CWE-78
CVE-2026-5058Shared CWE-78

Affected Assets

AI. In
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses CWE-78 OS command injection by validating the MCP configuration JSON input from untrusted GitHub repositories before executing any commands.

prevent

Remediates the specific flaw in Cursor CLI Beta by identifying, reporting, and applying the vendor fix in version 2025.09.17-25b418f.

preventdetect

Deploys malicious code protection to scan and block the arbitrary command execution and malicious MCP server spawned upon opening vulnerable projects.

References