GitHub Advisory — Cursor Agent MCP special-files prompt injection (CVE-2025-54135)
AI relevance: Cursor Agent writes MCP configuration files that govern agent tool access; prompting it to create malicious MCP servers turns a chat prompt into host-level code execution.
- CVE-2025-54135 lets an attacker chain prompt injection to create MCP-sensitive dotfiles (e.g.,
.cursor/mcp.json) without user approval. - Root cause: Cursor required approval to edit existing dotfiles but allowed creating new ones unapproved, enabling an attacker to plant a fresh MCP config.
- Once the config is written, a malicious MCP server can be registered and invoked, leading to arbitrary code execution on the victim host.
- The advisory notes the exploit depends on a separate prompt injection path to steer the agent into writing the file.
- Affected versions: Cursor ≤ 1.2.1.
- Fix: Cursor 1.3.9 blocks agent writes to MCP-sensitive files without approval.
Why it matters
- MCP configs are effectively the agent’s toolchain supply chain; writing them is equivalent to granting new, potentially hostile capabilities.
- This is a classic prompt-injection-to-RCE bridge that can be triggered in real workflows (e.g., repo browsing, issue triage, doc parsing).
- Other agent platforms with “create without approval” file paths may have similar bypasses.
What to do
- Upgrade to Cursor 1.3.9+ and review local MCP configs for unexpected servers.
- Lock down agent file writes to configuration directories and dotfiles, not just edits.
- Scan repos and prompts for prompt-injection content before allowing automated tool runs.