CVE-2025-64106 Overview
CVE-2025-64106 is a command injection vulnerability affecting Cursor, a popular AI-powered code editor developed by Anysphere. The vulnerability exists in Cursor's MCP (Model Context Protocol) server installation component, where an input validation flaw enables specially crafted deep-links to bypass standard security warnings and conceal executed commands from users who choose to accept the server connection.
This vulnerability allows attackers to craft malicious deep-links that, when clicked by a victim, bypass the standard "speedbump" modal warning designed to protect users. If the victim accepts the server connection, commands specified by the attacker's deep-link will be executed without the user's full awareness of what they are authorizing.
Critical Impact
Attackers can leverage social engineering combined with malicious deep-links to execute arbitrary commands on victim systems, potentially leading to complete system compromise, data theft, or malware installation.
Affected Products
- Anysphere Cursor versions 1.7.28 and below
- All platforms running vulnerable Cursor versions with MCP server functionality enabled
Discovery Timeline
- 2025-11-04 - CVE-2025-64106 published to NVD
- 2025-11-07 - Last updated in NVD database
Technical Details for CVE-2025-64106
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw resides in how Cursor processes and validates deep-link parameters before presenting security prompts to users.
When a user clicks a deep-link designed to install an MCP server, Cursor should display a security warning modal (referred to as a "speedbump") that clearly shows the user what commands will be executed. However, due to improper input validation, an attacker can craft a deep-link that causes the modal to display incorrect or misleading information while the actual command payload remains hidden.
The attack requires user interaction—specifically, the victim must be convinced to click a malicious deep-link and then accept the server connection. However, the social engineering barrier is lowered because the security modal fails to accurately represent the danger.
Root Cause
The root cause of CVE-2025-64106 is insufficient input validation and sanitization in the deep-link URL handler for MCP server installations. The application fails to properly validate and escape special characters or command sequences within the deep-link parameters, allowing attackers to inject hidden commands that bypass the visual security controls presented to users.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker must:
- Craft a malicious deep-link containing hidden command injection payloads
- Distribute the deep-link via phishing emails, malicious websites, or social engineering
- Convince the victim to click the deep-link and accept the MCP server installation
- The hidden commands execute on the victim's system with the user's privileges
The vulnerability exploits the trust users place in Cursor's security modal, which is designed to protect them from malicious server connections but fails to accurately display the true nature of the requested action due to the input validation flaw.
Detection Methods for CVE-2025-64106
Indicators of Compromise
- Unusual Cursor deep-link invocations in browser history or application logs
- Unexpected MCP server installations or connections in Cursor settings
- Suspicious child processes spawned by the Cursor application
- Unusual outbound network connections originating from Cursor processes
Detection Strategies
- Monitor for deep-link activations containing encoded or obfuscated parameters targeting Cursor
- Implement endpoint detection rules to identify anomalous process spawning from code editor applications
- Review system logs for unexpected command executions coinciding with Cursor usage
- Deploy application whitelisting to control what MCP servers can be installed
Monitoring Recommendations
- Enable verbose logging in Cursor application settings to capture deep-link processing events
- Configure EDR solutions to monitor process trees originating from Cursor executables
- Implement network monitoring for connections to unknown MCP servers
- Regularly audit installed MCP servers and review their connection history
How to Mitigate CVE-2025-64106
Immediate Actions Required
- Update Cursor to a version newer than 1.7.28 that addresses this vulnerability
- Educate users about the risks of clicking deep-links from untrusted sources
- Review currently installed MCP servers and remove any suspicious or unauthorized connections
- Consider temporarily disabling deep-link handling for MCP server installations until patched
Patch Information
Anysphere has addressed this vulnerability in versions following 1.7.28. Users should update to the latest available version of Cursor immediately. For detailed information about the fix and affected versions, refer to the GitHub Security Advisory GHSA-4575-fh42-7848.
Workarounds
- Disable automatic handling of Cursor deep-links at the operating system level
- Implement strict URL filtering at the network perimeter to block suspicious deep-link patterns
- Use application control policies to prevent unauthorized MCP server installations
- Train users to manually verify MCP server details through Cursor's settings interface rather than accepting deep-link initiated installations
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
