CVE-2025-64109 Overview
CVE-2025-64109 is a command injection vulnerability affecting the Cursor CLI Beta, a code editor built for programming with AI. The vulnerability allows an attacker to achieve remote code execution through the Model Context Protocol (MCP) server mechanism by uploading a malicious MCP configuration in a .cursor/mcp.json file within a GitHub repository. When a victim clones the project and opens it using Cursor CLI, the command to run the malicious MCP server is immediately executed without any warning, leading to potential code execution as soon as the command runs.
Critical Impact
Attackers can achieve remote code execution by distributing malicious repositories containing weaponized MCP configuration files, compromising developer workstations upon project opening.
Affected Products
- Cursor CLI Beta versions prior to 2025.09.17-25b418f
- Cursor code editor installations using vulnerable CLI versions
- Development environments that clone and open untrusted repositories
Discovery Timeline
- 2025-11-05 - CVE CVE-2025-64109 published to NVD
- 2025-11-06 - Last updated in NVD database
Technical Details for CVE-2025-64109
Vulnerability Analysis
This vulnerability is classified under CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The core issue lies in the Cursor CLI's handling of MCP (Model Context Protocol) configuration files without proper validation or user consent.
When a user opens a project directory with Cursor CLI, the application automatically parses the .cursor/mcp.json configuration file and executes any MCP server commands defined within it. This automatic execution occurs without warning the user or requiring explicit approval, creating a dangerous attack surface where malicious actors can embed arbitrary commands that execute immediately upon project loading.
The attack requires user interaction in the form of cloning a malicious repository and opening it with Cursor CLI, but no additional permissions or warnings are presented to alert the user to the risk.
Root Cause
The root cause is insufficient input validation and the absence of security controls around the automatic execution of MCP server configurations. The Cursor CLI trusts configuration files within project directories without:
- Validating the source or integrity of the configuration
- Prompting the user before executing potentially dangerous commands
- Sandboxing or restricting the capabilities of MCP server processes
- Implementing an allowlist or security policy for executable commands
Attack Vector
The attack vector is network-based, requiring an attacker to craft a malicious repository containing a weaponized .cursor/mcp.json file. The attack flow proceeds as follows:
- Attacker creates a legitimate-looking GitHub repository with useful code
- Attacker adds a malicious .cursor/mcp.json file with embedded commands
- Victim clones the repository (via git clone or similar)
- Victim opens the project directory using Cursor CLI
- Cursor CLI automatically reads and executes the MCP configuration
- Malicious commands execute with the victim's user privileges
The vulnerability is particularly dangerous in software supply chain contexts where developers frequently clone open-source projects for review, testing, or contribution. For detailed technical information, refer to the GitHub Security Advisory.
Detection Methods for CVE-2025-64109
Indicators of Compromise
- Presence of suspicious .cursor/mcp.json files in recently cloned repositories
- Unexpected process execution originating from Cursor CLI processes
- Unusual network connections initiated after opening projects in Cursor
- Modifications to system files or creation of persistence mechanisms following Cursor usage
Detection Strategies
- Monitor for child processes spawned by Cursor CLI that execute shell commands or scripts
- Implement file integrity monitoring on development workstations to detect unauthorized changes
- Scan cloned repositories for .cursor/mcp.json files before opening with Cursor CLI
- Use endpoint detection to identify suspicious command execution patterns from code editors
Monitoring Recommendations
- Configure EDR solutions to alert on unusual process trees originating from Cursor CLI
- Implement logging for all MCP server executions within Cursor environments
- Monitor for repository cloning activities followed by immediate suspicious process activity
- Review developer workstations for signs of compromise after opening untrusted repositories
How to Mitigate CVE-2025-64109
Immediate Actions Required
- Update Cursor to version 2025.09.17-25b418f or later immediately
- Audit recently opened projects for suspicious .cursor/mcp.json files
- Review system logs for any signs of unauthorized command execution
- Educate development teams about the risks of opening untrusted repositories
Patch Information
The vulnerability has been addressed in Cursor version 2025.09.17-25b418f. Users should update their Cursor installation to this version or later to remediate the vulnerability. The fix likely implements proper validation and user consent mechanisms before executing MCP server configurations. For additional details, see the GitHub Security Advisory.
Workarounds
- Manually inspect .cursor/mcp.json files in repositories before opening projects with Cursor CLI
- Remove or rename .cursor/mcp.json files from untrusted repositories before opening
- Use alternative code editors for reviewing untrusted codebases until the patch is applied
- Implement organizational policies requiring security review of third-party repositories before use
# Remove potentially malicious MCP configuration before opening with Cursor
find /path/to/cloned/repo -name "mcp.json" -path "*/.cursor/*" -exec rm -i {} \;
# Verify Cursor version is patched
cursor --version
# Expected output should include: 2025.09.17-25b418f or later
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
