CVE-2025-61591 Overview
CVE-2025-61591 is a command injection vulnerability affecting Cursor, an AI-powered code editor developed by Anysphere. The vulnerability exists in versions 1.7 and below when the Model Context Protocol (MCP) uses OAuth authentication with an untrusted MCP server. An attacker can impersonate a malicious MCP server and return crafted, maliciously injected commands during the interaction process, leading to command injection and potential remote code execution on the host system.
Critical Impact
This command injection vulnerability can be chained with an untrusted MCP service via OAuth to achieve arbitrary code execution on the host system, allowing attackers to execute malicious commands with full user privileges and directly compromise the system.
Affected Products
- Anysphere Cursor versions 1.7 and below
- Cursor installations using MCP with OAuth authentication to untrusted servers
- Systems running Cursor with AI agent functionality enabled
Discovery Timeline
- 2025-10-03 - CVE-2025-61591 published to NVD
- 2025-10-17 - Last updated in NVD database
Technical Details for CVE-2025-61591
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw resides in how Cursor handles commands returned from MCP servers during OAuth-authenticated sessions.
When a user connects Cursor to an MCP server for enhanced AI capabilities, the application trusts and processes commands returned by the server. In a legitimate scenario, these commands facilitate AI-assisted programming workflows. However, when connecting to an untrusted or attacker-controlled MCP server, malicious commands can be injected into the response stream.
The vulnerability is particularly dangerous because it operates within the context of the user's privileges, meaning any commands executed will have the same access rights as the user running Cursor. This could include read/write access to source code, system files, credentials, and other sensitive data.
Root Cause
The root cause of this vulnerability stems from insufficient input validation and sanitization of commands received from MCP servers during OAuth-authenticated sessions. The application fails to properly validate or sanitize the command data returned by external MCP services before processing them, creating an injection point that attackers can exploit.
The trust model assumes MCP servers will return benign, expected command structures. When this assumption is violated by a malicious server, the lack of proper command sanitization allows arbitrary command execution.
Attack Vector
The attack requires user interaction—specifically, the victim must connect their Cursor installation to a malicious MCP server using OAuth authentication. An attacker can exploit this vulnerability through the following attack chain:
- The attacker sets up a rogue MCP server designed to appear legitimate
- The attacker entices or tricks a user into connecting their Cursor instance to this malicious server via OAuth
- During normal interaction with the AI agent, the malicious server returns crafted responses containing injected commands
- Cursor processes these malicious commands without proper sanitization
- The injected commands execute on the victim's system with the user's full privileges
The attack leverages the OAuth authentication flow as a vector for establishing trust, making it particularly deceptive as users may believe OAuth-authenticated connections are inherently secure.
Detection Methods for CVE-2025-61591
Indicators of Compromise
- Unexpected outbound network connections from the Cursor application to unfamiliar MCP server endpoints
- Unusual process spawning activity originating from the Cursor process
- Suspicious command execution patterns in system logs correlating with Cursor usage
- Unexpected OAuth authorization requests or tokens associated with unknown MCP services
Detection Strategies
- Monitor process creation events for child processes spawned by the Cursor application that execute shell commands or system utilities
- Implement network monitoring to detect connections to unauthorized or suspicious MCP server endpoints
- Review OAuth authorization logs for connections to untrusted MCP services
- Deploy endpoint detection rules to identify command injection patterns in process command lines
Monitoring Recommendations
- Enable detailed logging for Cursor application activity and MCP server connections
- Implement application allowlisting to control which MCP servers can be used within your organization
- Configure network security tools to alert on connections to unrecognized MCP endpoints
- Establish baseline behavior for Cursor usage and alert on anomalies
How to Mitigate CVE-2025-61591
Immediate Actions Required
- Update Cursor to the patched version 2025.09.17-25b418f or later immediately
- Audit all configured MCP server connections and remove any untrusted or unrecognized services
- Review OAuth authorizations granted by Cursor and revoke any suspicious or unnecessary permissions
- Restrict MCP server connections to only trusted, verified endpoints within your organization
Patch Information
Anysphere has released a patch identified as 2025.09.17-25b418f that addresses this vulnerability. While there is no formal version release number associated with this fix, users should ensure their Cursor installation includes this specific patch. For detailed patch information and installation instructions, refer to the GitHub Security Advisory.
Workarounds
- Disable MCP functionality entirely if it is not required for your workflow until the patch can be applied
- Implement network-level controls to block connections to untrusted MCP servers
- Use only internally hosted and verified MCP servers with strict access controls
- Enable additional endpoint protection to monitor and block suspicious command execution from the Cursor process
# Configuration example - Restrict network access for Cursor
# Add firewall rules to limit Cursor's outbound MCP connections
# Replace TRUSTED_MCP_SERVER with your organization's approved MCP endpoint
# Linux iptables example
iptables -A OUTPUT -p tcp -m owner --cmd-owner cursor -d TRUSTED_MCP_SERVER --dport 443 -j ACCEPT
iptables -A OUTPUT -p tcp -m owner --cmd-owner cursor --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
