CVE-2025-64109
Published: 05 November 2025
Summary
CVE-2025-64109 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Software Dependencies and Development Tools (T1195.001); ranked at the 32.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Supply Chain and Deployment risk domain.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses CWE-78 OS command injection by validating the MCP configuration JSON input from untrusted GitHub repositories before executing any commands.
Remediates the specific flaw in Cursor CLI Beta by identifying, reporting, and applying the vendor fix in version 2025.09.17-25b418f.
Deploys malicious code protection to scan and block the arbitrary command execution and malicious MCP server spawned upon opening vulnerable projects.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables RCE via malicious .cursor/mcp.json in GitHub repo, exploiting Cursor CLI's automatic command execution on project open, facilitating supply chain compromise of development tools/repos and client-side exploitation.
NVD Description
Cursor is a code editor built for programming with AI. In versions and below, a vulnerability in the Cursor CLI Beta allowed an attacker to achieve remote code execution through the MCP (Model Context Protocol) server mechanism by uploading a…
more
malicious MCP configuration in .cursor/mcp.json file in a GitHub repository. Once a victim clones the project and opens it using Cursor CLI, the command to run the malicious MCP server is immediately executed without any warning, leading to potential code execution as soon as the command runs. This issue is fixed in version 2025.09.17-25b418f.
Deeper analysisAI
CVE-2025-64109 is a remote code execution vulnerability (CWE-78) in the Cursor CLI Beta, a code editor designed for programming with AI. The flaw resides in the MCP (Model Context Protocol) server mechanism, where a malicious MCP configuration can be placed in a .cursor/mcp.json file within a GitHub repository. It affects versions prior to 2025.09.17-25b418f and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An attacker who controls a GitHub repository can exploit this by uploading a malicious .cursor/mcp.json file. A victim using a vulnerable version of Cursor CLI Beta who clones the repository and opens the project will have the command to run the malicious MCP server executed immediately without any warning, enabling arbitrary code execution on the victim's machine.
The issue is addressed in Cursor version 2025.09.17-25b418f. Additional details are available in the vendor's security advisory at https://github.com/cursor/cursor/security/advisories/GHSA-4hwr-97q3-37w2.
Details
- CWE(s)
Affected Products
AI Security AnalysisAI
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- Classification Reason
- The vulnerability affects Cursor, an AI code editor, specifically through the MCP (Model Context Protocol) server mechanism via a malicious .cursor/mcp.json configuration file, which is a protocol for model context integration in AI agents.