Overview
A case-sensitivity bug in Cursor AI IDE allows attackers to bypass file protection mechanisms and modify .cursor/mcp.json on case-insensitive filesystems (Windows/macOS), enabling injection of malicious MCP servers and achieving remote code execution.
Who Is Affected
Discovered by Lakera AI security researchers. Affects all Cursor users on Windows and macOS, which use case-insensitive filesystems by default.
Where It Exists
The vulnerability is in Cursor's file access control logic, which protects .cursor/mcp.json from modification by AI agents. The protection uses case-sensitive path matching on case-insensitive filesystems.
When It Was Found
Disclosed in July 2025 as CVE-2025-59944. Lakera coordinated disclosure with the Cursor team.
How It Works
Cursor blocks AI agents from writing to .cursor/mcp.json to prevent MCP server injection. However, on case-insensitive filesystems (Windows, macOS), an agent can write to .Cursor/MCP.JSON or other case variants. The OS treats these as the same file, bypassing the protection. The attacker injects a malicious MCP server definition, which Cursor loads on next startup, achieving persistent code execution.
Impact
Persistent remote code execution within the Cursor IDE environment. Attackers gain access to all files the developer can access, can steal credentials and source code, install backdoors, and modify code in active projects. The persistence survives IDE restarts.
Mitigation
Update Cursor to the patched version. Use case-insensitive path comparison for file protection rules. Implement file integrity monitoring on MCP configuration files. Restrict AI agent file write permissions to explicit allowlists rather than denylists.