CVE-2025-54135, CVE-2025-54136: Frequently Asked Questions About Vulnerabilities in Cursor IDE (CurXecute and MCPoison)

Researchers have disclosed two vulnerabilities in Cursor, the popular AI-assisted code editor, that impact its handling of model context protocol (MCP) servers, which could be used to gain code execution on vulnerable systems.

Background

Tenable’s Research Special Operations (RSO) team has compiled this blog to answer Frequently Asked Questions (FAQ) regarding two recently disclosed vulnerabilities in Cursor IDE.

FAQ

What is Cursor?

Cursor is an AI-assisted integrated development environment (IDE), or AI code editor, developed by Anysphere. It was first released in March 2023.

Who uses Cursor?

In January 2025, Cursor had over 1 million users, according to a Bloomberg report. The company states that Cursor is used by over half of the Fortune 500, naming NVIDIA, Uber and Adobe among its customers.

What is CurXecute and MCPoison?

CurXecute and MCPoison are the names given to two separate vulnerabilities in Cursor.

What are the vulnerabilities associated with CurXecute and MCPoison?

The following are the CVEs assigned for both CurXecute and MCPoison:

When were these vulnerabilities first disclosed?

CurXecute (CVE-2025-54135) was disclosed on August 1 by researchers at AIM Security while MCPoison (CVE-2025-54136) was disclosed on August 5 by researchers at Check Point Research.

Were any of these vulnerabilities exploited as a zero-day?

No, these vulnerabilities were disclosed to Cursor by the respective researchers through coordinated disclosure on July 7 (CurXecute) and July 16 (MCPoison).

Are there any proofs-of-concept (PoCs) available for CurXecute and MCPoison?

Yes, the researchers have published PoC details on their respective blog posts, explaining how attackers could potentially exploit these flaws.

How severe are CurXecute and MCPoison?

Both vulnerabilities have the potential to be severe, but it is context dependent. The common thread between the two flaws is how Cursor handles interaction with MCP servers.

For a primer on MCP, read the blog Frequently Asked Questions About Model Context Protocol (MCP) and Integrating with AI for Agentic Applications. Additionally, Tenable Research has published investigations into MCP security, including MCP prompt injection and our discovery of a critical flaw in Anthropic MCP Inspector.

In the example outlined by AIM Security for CurXecute, an attacker could leverage prompt injection by targeting an MCP connected to a Slack instance, sending a crafted message that would be processed by the Slack MCP Server and read by Cursor to modify the underlying global mcp.json configuration settings even before the user has a chance to reject the suggested edits by AI. Crucially, Cursor would execute the command added to the modified MCP configuration immediately.

In the example outlined by Check Point Research for MCPoison, the flaw stems from the approval of an MCP server that contains a project-specific configuration (mcp.json). Once this MCP server has been approved by the target, any changes to the underlying configuration are considered trusted because it is bound by the MCP name not its contents. This would allow an attacker to modify the configuration to include malicious commands that would be executed silently and without requiring re-approval.

AI-assisted code editors help with the development of software but they introduce a new layer of risk. Whether through enabling MCP servers that could be vulnerable to prompt injection (CurXecute) or leveraging a seemingly harmless open-source project that is then compromised by a malicious contributor (MCPoison).

Are patches or mitigations available for CurXecute and MCPoison?

Yes, Cursor has released updated versions of its IDE to address both CurXecute and MCPoison.

Has Tenable released any product coverage for these vulnerabilities?

A list of Tenable plugins for these vulnerabilities can be found on the individual CVE pages as they’re released:

• CVE-2025-54135
• CVE-2025-54136

This link will display all available plugins for these vulnerabilities, including upcoming plugins in our Plugins Pipeline.

Customers can also use our MCP Server Detected plugin to identify MCP server usage.

Get more information

• When Public Prompts Turn Into Local Shells: ‘CurXecute’ – RCE in Cursor via MCP Auto‑Start
• MCPoison Cursor IDE: Persistent Code Execution via MCP Trust Bypass

Join Tenable's Research Special Operations (RSO) Team on the Tenable Community.
Learn more about Tenable One, the Exposure Management Platform for the modern attack surface.