CVE-2025-54133
CRITICALCursor 1.1.7-1.2 - OS Command Injection via MCP Deeplink Handler
Title source: llmDescription
Cursor is a code editor built for programming with AI. In versions 1.17 through 1.2, there is a UI information disclosure vulnerability in Cursor's MCP (Model Context Protocol) deeplink handler, allowing attackers to execute 2-click arbitrary system commands through social engineering attacks. When users click malicious `cursor://anysphere.cursor-deeplink/mcp/install` links, the installation dialog does not show the arguments being passed to the command being run. If a user clicks a malicious deeplink, then examines the installation dialog and clicks through, the full command including the arguments will be executed on the machine. This is fixed in version 1.3.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/cursor/cursor/security/advisories/GHSA-r22h-5wp2-2wfv
Scores
CVSS v3
9.6
EPSS
0.0032
EPSS Percentile
23.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
CWE-78
Status
published
Products (1)
anysphere/cursor
1.1.7 - 1.3
Published
Aug 02, 2025
Tracked Since
Feb 18, 2026