Overview
Cursor IDE (versions <= 1.2.4) trusts previously approved MCP configurations indefinitely without re-approval on modification. An attacker adds a benign MCP config to a shared repository, waits for user approval, then replaces it with a malicious payload. This enables persistent remote code execution. CVSS 7.2-8.8.
Who Is Affected
Discovered by Check Point Research, published August 1, 2025. Affects all Cursor IDE users (versions <= 1.2.4) who clone or open repositories containing MCP configuration files.
Where It Exists
The vulnerability is in Cursor's MCP configuration trust model. Once a user approves an MCP config in a repository, Cursor does not re-validate or re-prompt when that configuration is subsequently modified.
When It Was Found
Disclosed August 1, 2025 as CVE-2025-54136 (GHSA-24mc-g4xr-4395). Fixed in Cursor v1.3. Named 'MCPoison' by Check Point Research.
How It Works
Step 1: Attacker contributes a benign .cursor/mcp.json to a shared repository (e.g., a popular open-source project). Step 2: When a developer opens the repo in Cursor, they approve the seemingly safe MCP config. Step 3: The attacker later updates the MCP config to point to a malicious server with RCE capabilities. Step 4: Cursor trusts the previously approved config without re-prompting, executing the malicious server's tools with full system access.
Impact
Persistent remote code execution through trusted repository MCP configurations. Attackers can execute arbitrary code every time the victim opens the repository. This is particularly dangerous for shared/open-source repositories where config file changes may not be closely reviewed.
Mitigation
Update Cursor to v1.3 or later. Implement re-approval requirements when MCP configurations are modified. Review MCP configs in pull requests like any other security-sensitive file. Use config file integrity monitoring. Pin MCP server versions in configurations.