Overview
A malicious MCP server can inject JavaScript into Cursor's built-in browser. Cursor lacks integrity checks on runtime components loaded through MCP interactions, enabling arbitrary code execution within the IDE's browser context.
Who Is Affected
Demonstrated by security researcher 0xrelogic with a working proof-of-concept. Affects Cursor IDE users who connect to untrusted MCP servers that can influence browser-rendered content.
Where It Exists
The vulnerability is in Cursor's built-in browser component and its interaction with MCP server responses. The IDE does not validate or sanitize content that flows into its browser runtime.
When It Was Found
Published July 2025 as a proof-of-concept demonstration with detailed exploit code.
How It Works
A rogue MCP server returns specially crafted responses containing JavaScript payloads. When Cursor processes these responses and renders them in its built-in browser component, the JavaScript executes within the IDE's browser context. The lack of integrity checks on runtime components means the injected code runs with the browser's full privileges within the IDE.
Impact
Arbitrary JavaScript execution within Cursor's browser context. Depending on the browser's privilege level, this can lead to access to IDE APIs, file system operations, credential theft from browser storage, and potential escalation to full IDE compromise. The attack demonstrates that MCP server responses can escape their intended sandbox.
Mitigation
Implement Content Security Policy (CSP) for Cursor's built-in browser. Sanitize all MCP server output before rendering in browser contexts. Add integrity checks for runtime components. Isolate the browser component from IDE-privileged APIs. Restrict what content MCP servers can inject into rendered views.