Overview
In the world of programming, code editors play a crucial role. One such editor, Cursor, which is built specifically for AI programming, has been identified with a severe vulnerability (CVE-2025-61591) in versions 1.7 and below. This vulnerability, if exploited, could lead to system compromise or data leakage, posing significant security threats to organizations and individuals using the affected versions of Cursor. The exploit works when MCP uses OAuth authentication with an untrusted MCP server, leading to potential remote code execution and command injection.
Vulnerability Summary
CVE ID: CVE-2025-61591
Severity: High (8.8)
Attack Vector: Network
Privileges Required: Low
User Interaction: Required
Impact: Potential system compromise or data leakage
Affected Products
Share secrets securely
Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.
Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.
- • Encrypted identity
- • Private Spaces for organizations and teams
- • End-to-end encrypted chat, calls, files, and notes
- • Sensitive AI work and protected collaboration
- • Built for information that cannot leak
Our mission is to secure human work alongside AI.
Product | Affected Versions
Cursor | 1.7 and below
How the Exploit Works
The exploit works when the Cursor code editor interacts with an untrusted MCP server using OAuth authentication. During this interaction, an attacker can impersonate a malicious MCP server and return crafted, maliciously injected commands. These commands could allow arbitrary code execution on the host by the agent, leading to a system compromise. The attacker could then run arbitrary commands with full user privileges, potentially leading to data leakage or further system compromise.
Conceptual Example Code
Below is a conceptual example of how this vulnerability might be exploited:
POST /mcp/oauth/token HTTP/1.1
Host: untrusted-mcp-server.com
Content-Type: application/json
{
"grant_type": "authorization_code",
"code": "AUTH_CODE",
"redirect_uri": "http://localhost:8080/callback",
"client_id": "CLIENT_ID",
"client_secret": "CLIENT_SECRET",
"commands": "{malicious_commands}"
}
In this example, the attacker impersonates the MCP server and sends a response containing malicious commands in the `commands` field. These commands could be crafted to exploit the command injection vulnerability in the Cursor code editor, leading to arbitrary code execution.
Mitigation Guidance
While the issue has no fixed release version yet, a patch (2025.09.17-25b418f) has been provided by the vendor. Users are strongly advised to apply this patch immediately to mitigate the risk. In case the patch cannot be applied immediately, using a Web Application Firewall (WAF) or an Intrusion Detection System (IDS) can serve as temporary mitigation. These systems can help detect and block malicious traffic, thereby reducing the risk of exploitation. Users should also ensure only trusted MCP servers are used for OAuth authentication to avoid potential exploitation.
