{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-54136", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-16T23:53:40.510Z", "datePublished": "2025-08-01T23:08:21.817Z", "dateUpdated": "2025-08-04T17:16:42.841Z"}, "containers": {"cna": {"title": "Cursor's Modification of MCP Server Definitions Bypasses Manual Re-approvals", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395"}], "affected": [{"vendor": "cursor", "product": "cursor", "versions": [{"version": "< 1.3", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-01T23:08:21.817Z"}, "descriptions": [{"lang": "en", "value": "Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. This is fixed in version 1.3."}], "source": {"advisory": "GHSA-24mc-g4xr-4395", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-04T17:16:34.453679Z", "id": "CVE-2025-54136", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-04T17:16:42.841Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-54136", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-08-04T17:16:34.453679Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-04T17:16:38.537Z"}}], "cna": {"title": "Cursor's Modification of MCP Server Definitions Bypasses Manual Re-approvals", "source": {"advisory": "GHSA-24mc-g4xr-4395", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "cursor", "product": "cursor", "versions": [{"status": "affected", "version": "< 1.3"}]}], "references": [{"url": "https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395", "name": "https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. This is fixed in version 1.3."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-01T23:08:21.817Z"}}}, "cveMetadata": {"cveId": "CVE-2025-54136", "state": "PUBLISHED", "dateUpdated": "2025-08-04T17:16:42.841Z", "dateReserved": "2025-07-16T23:53:40.510Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-01T23:08:21.817Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:anysphere:cursor:*:*:*:*:*:*:*:*", "matchCriteriaId": "6CC3BD06-C788-4AE8-80B9-8CF608AB5F5F", "versionEndExcluding": "1.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cursor is a code editor built for programming with AI. In versions 1.2.4 and below, attackers can achieve remote and persistent code execution by modifying an already trusted MCP configuration file inside a shared GitHub repository or editing the file locally on the target's machine. Once a collaborator accepts a harmless MCP, the attacker can silently swap it for a malicious command (e.g., calc.exe) without triggering any warning or re-prompt. If an attacker has write permissions on a user's active branches of a source repository that contains existing MCP servers the user has previously approved, or allows an attacker has arbitrary file-write locally, the attacker can achieve arbitrary code execution. This is fixed in version 1.3."}, {"lang": "es", "value": "Cursor es un editor de c\u00f3digo creado para programar con IA. En las versiones 1.2.4 y anteriores, los atacantes pueden lograr la ejecuci\u00f3n remota y persistente de c\u00f3digo modificando un archivo de configuraci\u00f3n MCP ya confiable dentro de un repositorio compartido de GitHub o edit\u00e1ndolo localmente en el equipo objetivo. Una vez que un colaborador acepta un MCP inofensivo, el atacante puede reemplazarlo silenciosamente por un comando malicioso (por ejemplo, calc.exe) sin generar ninguna advertencia ni solicitud. Si un atacante tiene permisos de escritura en las ramas activas de un usuario de un repositorio de origen que contiene servidores MCP existentes que el usuario ha aprobado previamente, o permite que un atacante escriba archivos arbitrariamente localmente, puede lograr la ejecuci\u00f3n de c\u00f3digo arbitrario. Esto se solucion\u00f3 en la versi\u00f3n 1.3."}], "id": "CVE-2025-54136", "lastModified": "2025-08-25T01:41:36.580", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-08-02T00:15:25.290", "references": [{"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/cursor/cursor/security/advisories/GHSA-24mc-g4xr-4395"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"created": "2025-08-04T08:15:50.659755+00:00", "updated": "2025-08-04T08:15:50.659872+00:00", "vendors": ["cursor", "cursor$PRODUCT$cursor"]}