Breach report
CurXecute: a Slack message that rewrote Cursor's MCP config into remote code execution
What happened
Cursor is an AI-powered code editor that can connect to external tools through the Model Context Protocol (MCP). A vulnerability tracked as CVE-2025-54135 and nicknamed CurXecute allowed an attacker to turn an untrusted MCP data source into remote code execution on the developer's machine.
The attack relied on indirect prompt injection through an MCP server connected to a service such as Slack. A crafted message, once ingested by the agent, could drive Cursor to modify its global mcp.json configuration file. Because a newly written MCP server entry could carry a command, the injected configuration led to command execution — and, as the disclosure notes, Cursor executed it "even before the user has a chance to reject the suggested edits," collapsing the human-in-the-loop safeguard. The issue affected Cursor versions 1.2.4 and below and was fixed in version 1.3. It carried a CVSS score in the high range.
Root cause
- LLM01 Prompt Injection (indirect). Content arriving through an MCP server was treated as trusted instruction, letting an attacker steer the agent's actions.
- LLM06 Excessive Agency. The agent could rewrite its own tool configuration — a security-critical file — without a firm approval gate.
- LLM05 Improper Output Handling. A model-influenced write into
mcp.jsonflowed straight into command execution, with no validation between the model's output and a shell.
How it would have been caught
An agentic red-team test that feeds a poisoned MCP message and then checks whether mcp.json changed — or whether any command executed — would have surfaced the flaw. File-integrity monitoring on the MCP configuration and a policy that no config write executes without explicit, blocking user approval are the load-bearing checks. Injection generators such as PyRIT or Promptfoo drive the input side.
How to prevent it
- Treat all MCP tool output as untrusted data, never as instructions that can reconfigure the agent.
- Make the MCP configuration file read-only to the agent, or require an out-of-band, blocking confirmation before any write takes effect.
- Never let a configuration write auto-execute — separate "propose" from "apply," and validate proposed commands before they can run.
The Breachwire test (red → green)
Feed a poisoned MCP message and confirm the agent rewrites mcp.json and executes a command (the RED control proving RCE is reachable). Apply config write-protection and a blocking approval gate, then confirm the same message cannot alter the config or run code, while a legitimate, user-approved MCP configuration change still works (the positive control).