Cursor Prompt Injection Vulnerability Allows Full RCE in AI IDE

A high-severity flaw called CurXecute has been discovered in the AI-based Cursor IDE. This vulnerability affects all versions before 1.3 and allows prompt injection attacks that can lead to full remote code execution. Attackers can run commands as if they were the developer.

Researchers reported the flaw on July 7, 2025, and Cursor issued a patch in version 1.3 on July 29. The bug stems from the IDE’s interaction with external content through its MCP server, which fetches and executes information automatically.

How CurXecute Works

• The IDE uses a config file called ~/.cursor/mcp.json.
• Malicious prompts injected into that file can include harmful commands.
• The system auto-executes them, even if the user chooses “Cancel.”
• These commands can launch local shells and compromise the device.

This vulnerability creates a dangerous attack vector for threat actors aiming to hijack development environments. Even worse, it doesn’t require the developer to click or approve anything.

Why It’s So Risky

Cursor typically runs with developer privileges. That gives attackers full access to run scripts, install malware, or steal credentials. Possible outcomes include:

• Data exfiltration
• Credential harvesting
• Ransomware deployment
• System compromise

Mitigation and Response

Users should update to version 1.3 immediately. This version disables the vulnerable auto-execution behavior and blocks remote commands injected through MCP.

To stay safe, developers should also avoid connecting Cursor to public Slack channels, issue trackers, or third-party content sources that aren’t trusted.

Broader Implications

This case highlights the growing risks around AI-driven development tools. When these tools blindly execute external data, they become gateways for attackers. Security teams must treat AI inputs as attack surfaces, not trusted assistants.

Conclusion

The CurXecute flaw proves how a single injected prompt can hijack an entire dev environment. Developers should update Cursor to version 1.3 and limit integrations with untrusted content sources. Staying aware of AI-specific vulnerabilities helps prevent attacks before they start.