CVE-2025-61591 in Cursor
Summary
by MITRE • 10/03/2025
Cursor is a code editor built for programming with AI. In versions 1.7 and below, when MCP uses OAuth authentication with an untrusted MCP server, an attacker can impersonate a malicious MCP server and return crafted, maliciously injected commands during the interaction process, leading to command injection and potential remote code execution. If chained with an untrusted MCP service via OAuth, this command injection vulnerability could allow arbitrary code execution on the host by the agent. This can then be used to directly compromise the system by executing malicious commands with full user privileges. This issue does not currently have a fixed release version, but there is a patch, 2025.09.17-25b418f.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 10/03/2025
CVE-2025-61591 represents a critical command injection vulnerability within Cursor, a code editor designed for AI-assisted programming. The flaw exists in versions 1.7 and earlier where the application's interaction with MCP (Model Control Protocol) servers using OAuth authentication creates a dangerous attack vector. When a user connects to an untrusted MCP server through OAuth, the vulnerability allows an attacker to impersonate the legitimate server and inject malicious commands into the interaction process. This represents a significant security weakness that directly maps to CWE-94, which describes "Improper Control of Generation of Code," and specifically aligns with CWE-78, "Improper Neutralization of Special Elements used in OS Command Injection Attacks." The vulnerability operates at the intersection of trust boundaries and authentication mechanisms, creating a pathway for privilege escalation and remote code execution.
The technical exploitation of this vulnerability occurs through the MCP protocol's OAuth authentication flow, where the attacker can manipulate the communication between Cursor and the MCP server. By masquerading as a legitimate server, the malicious entity can inject commands that get executed within the context of the Cursor application. This command injection flaw allows attackers to execute arbitrary code with the privileges of the user running Cursor, potentially leading to complete system compromise. The vulnerability's impact is amplified by the fact that it can be chained with other security weaknesses in the MCP service, creating a multi-layered attack approach that bypasses traditional security controls. The attack vector specifically targets the trust model established by OAuth, where the client application assumes the server's legitimacy without sufficient verification mechanisms.
The operational impact of CVE-2025-61591 extends beyond simple code execution to encompass full system compromise capabilities. Attackers can leverage this vulnerability to gain persistent access to development environments, potentially accessing sensitive source code, configuration files, and other intellectual property. The vulnerability affects developers who rely on Cursor's AI features, making it particularly dangerous in environments where code editors are used for critical development work. The risk is elevated because the attack requires minimal user interaction beyond establishing the connection to the malicious MCP server, making it an attractive target for automated exploitation. This vulnerability directly relates to ATT&CK technique T1059, "Command and Scripting Interpreter," and T1068, "Exploitation for Privilege Escalation," as it enables both command execution and privilege escalation within the user's environment.
Mitigation strategies for CVE-2025-61591 require immediate attention from users and organizations. The primary remediation involves updating to the patched version 2025.09.17-25b418f, which addresses the authentication and command injection flaws in the MCP protocol handling. Organizations should implement strict server validation procedures for all MCP connections, particularly when dealing with external services. Network segmentation and firewall rules can help limit exposure by restricting access to MCP servers. Security monitoring should focus on unusual command execution patterns and unauthorized connections to external MCP services. Additionally, users should avoid connecting to untrusted MCP servers and implement proper certificate validation for all external connections. The vulnerability highlights the importance of secure coding practices in AI-assisted development tools and demonstrates the need for robust authentication verification mechanisms in distributed systems. Regular security assessments and penetration testing should be conducted to identify similar trust boundary issues in other development tools and AI integration platforms.