CVE-2025-54135

HIGH

Cursor < 1.3.9 - Remote Code Execution via MCP Configuration File Creation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-54135. PoCs published by hn1e13, anntsmart.

AI-analyzed exploit summary The repository contains a deceptive README with AI automation instructions that attempt to execute a malicious command (`touch ~/malicious_payload_from_readme`) under the guise of configuration. The Python script is unrelated to the stated CVE and appears to be a distraction.

Description

Cursor is a code editor built for programming with AI. Cursor allows writing in-workspace files with no user approval in versions below 1.3.9, If the file is a dotfile, editing it requires approval but creating a new one doesn't. Hence, if sensitive MCP files, such as the .cursor/mcp.json file don't already exist in the workspace, an attacker can chain a indirect prompt injection vulnerability to hijack the context to write to the settings file and trigger RCE on the victim without user approval. This is fixed in version 1.3.9.

Exploits (2)

nomisec TROJAN

by hn1e13 · poc

https://github.com/hn1e13/test-mcp

View Code ZIP pw:eip

The repository contains a deceptive README with AI automation instructions that attempt to execute a malicious command (`touch ~/malicious_payload_from_readme`) under the guise of configuration. The Python script is unrelated to the stated CVE and appears to be a distraction.

Classification

Trojan 95%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: Unspecified (likely a social engineering lure)

No auth needed

Prerequisites: User interaction to execute the README instructions

MITRE ATT&CK

T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

nomisec SUSPICIOUS

by anntsmart · poc

https://github.com/anntsmart/CVE-2025-54135

View Code ZIP pw:eip

The repository claims to provide a functional exploit for CVE-2025-54135 but lacks actual exploit code, instead redirecting users to an external download link (tinyurl.com). The README contains vague setup instructions and marketing-like language without technical depth.

Classification

Suspicious 90%

Attack Type

Rce

Complexity

Moderate

Reliability

Theoretical

Target: Cursor IDE versions prior to 1.3

Auth required

Prerequisites: Slack bot token with posting permissions · Victim's Cursor IDE configured to monitor a public Slack channel · Attacker-controlled server (optional)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (1)

Core 1

Core References

Mitigation, Vendor Advisory x_refsource_confirm

https://github.com/cursor/cursor/security/advisories/GHSA-4cxx-hrm3-49rm

Scores

CVSS v3 8.5

EPSS 0.0172

EPSS Percentile 74.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-78 CWE-829

Status published

Products (1)

anysphere/cursor < 1.3.9

Published Aug 05, 2025

Tracked Since Feb 18, 2026