Unveiled by Check Point: A Hidden Danger in AI-Driven Coding Environment - a Stealthy Peril for AI-Enhanced Development
In a significant development for the cybersecurity landscape, a critical and persistent remote code execution (RCE) flaw, known as CVE-2025-54136 or "MCPoison," has been discovered in the Cursor AI-powered Integrated Development Environment (IDE). This vulnerability exploits a weakness in Cursor's Model Context Protocol (MCP) trust validation system, which is crucial for automation workflows in collaborative development.
The vulnerability arises from Cursor's approach to MCP configuration trust. Initially, the IDE requires only one-time user approval for an MCP configuration's initial state, binding trust solely to the MCP's name, but not validating subsequent changes to its content. This opens up a potential attack vector where attackers can:
- Commit a seemingly harmless MCP configuration, such as an innocuous echo command.
- The developer approves the MCP on first use.
- Later, attackers modify the same MCP entry in the shared repository to include malicious payloads, like reverse shells or arbitrary system commands.
- Cursor automatically executes these updated malicious commands every time the project opens or syncs without displaying any further prompts or alerts.
The exploit leverages collaborative workflows where trusted configuration files (.cursor/rules/mcp.json) are shared via repositories, enabling a persistent silent backdoor that executes automatically, effectively bypassing user awareness and security checks.
The implications of this vulnerability are severe:
- Silent and persistent compromise: The code executes invisibly on each project open, making detection difficult without external monitoring.
- Low barrier to attack: Any collaborator with write access to the repository can weaponize the MCP configuration.
- Scalability and supply chain risk: In team or organizational environments, the malicious MCP can spread broadly, potentially compromising multiple developer machines.
- Privilege escalation and data exposure: Since developer environments often have access to cloud credentials and sensitive source code, attackers may gain privilege escalation or exfiltrate critical data.
- Fundamental breakdown in trust assumptions: The approval of automation in AI-driven development tools is naive and does not account for dynamic changes.
To mitigate the risk, it is recommended that users:
- Update Cursor IDE to version 1.3 or later, which enforces re-approval for any MCP configuration changes.
- Audit existing MCP files in projects for suspicious command changes post-approval.
- Implement branch protection and code review policies specifically for the directory contents in repositories to prevent unauthorized modifications.
- Adopt vigilant monitoring and auditing of AI-assisted development workflows, especially in collaborative and automated environments.
This vulnerability underscores the critical need for robust trust validation and security controls in AI-powered developer tools that deeply integrate automation and code execution capabilities. As the global AI-assisted code tools market is projected to surpass $25.7 billion by 2030, the focus on securing these tools will undoubtedly become increasingly important.
Cybersecurity practices must be strengthened in data-and-cloud-computing environments, as the recent discovery of the critical and persistent remote code execution (RCE) flaw, CVE-2025-54136 or "MCPoison," in the AI-powered Integrated Development Environment (IDE) software, Cursor, showcases. This vulnerability jeopardizes the security of technology systems by enabling silent and persistent compromise, low barriers to attack, scalability and supply chain risks, privilege escalation, data exposure, and a breakdown of trust assumptions in AI-driven development tools.
