Cursor AI Security: Known Vulnerabilities and What Developers Should Know

Cursor is the most popular AI coding tool for professional developers. It's fast, context-aware, and produces working code with impressive accuracy. But in 2025, security researchers found several serious vulnerabilities — not just in the code Cursor generates, but in the IDE itself.

Here's what's been discovered, what's been fixed, and what you should configure to use Cursor safely.

CVE-2025-54135: Remote Code Execution via MCP

The most serious Cursor vulnerability to date was dubbed "CurXecute" by Check Point Research. The attack chain: an attacker crafts a malicious Slack message. When Cursor's AI summarizes that message, it rewrites the user's MCP (Model Context Protocol) configuration files and executes arbitrary commands with the developer's full privileges.

This isn't a theoretical attack. Check Point demonstrated the full chain: malicious message to code execution in minutes. The vulnerability exploits Cursor's one-time approval model for MCPs — once you approve an MCP configuration, future modifications to its commands are trusted without additional validation.

Workspace Trust Is Disabled by Default

Imperva's research revealed that Cursor ships with VS Code's Workspace Trust feature disabled. This means when you open a repository, Cursor will execute pre-defined tasks from the project folder without any warning. A malicious repository can include task definitions that run arbitrary commands the moment you open the project.

This is a deliberate trade-off Cursor made for convenience — workspace trust prompts are annoying and most developers just click "Trust" anyway. But it means cloning an untrusted repository in Cursor is genuinely dangerous. The fix is simple: enable Workspace Trust in settings.

Malicious npm Packages Targeting Cursor Users

SecurityWeek reported three malicious npm packages specifically targeting Cursor users on macOS. The packages posed as developer tools for Cursor and deployed a backdoor that could steal credentials and execute commands.

This isn't a vulnerability in Cursor itself, but it shows that Cursor's popularity has made it a target. Attackers are building social engineering campaigns specifically around the Cursor ecosystem. When you install extensions or packages that claim to enhance Cursor, verify the publisher and check download counts.

The Code Cursor Generates

Beyond the IDE vulnerabilities, there's a separate question: is the code Cursor generates secure? Cursor's strength — deep project context awareness — actually creates a specific risk pattern. Because it generates complex, working code quickly, developers trust it more and review it less than output from other AI tools.

The patterns seen in Cursor-generated code are consistent with other AI tools but amplified by volume: API routes without authorization checks, verbose error responses that leak internals to production, validation that exists in React components but not in the API handler, and default framework configurations shipped unchanged.

What to Configure Right Now

If you're using Cursor, these settings changes take two minutes and address the known attack vectors:

• Enable Workspace Trust: Settings > search "trust" > enable "Security: Workspace Trust Enabled". This prevents auto-execution of tasks from untrusted repositories
• Disable auto-run for MCP commands: this ensures AI-generated terminal commands require your approval before executing
• Audit your MCP configurations: check .cursor/mcp.json for any servers you don't recognize
• Don't install unverified Cursor-specific npm packages — verify publisher, check downloads, read the source
• Treat Cursor's code output as a first draft that needs security review, not production-ready code

The Bigger Picture

Cursor is arguably the best AI coding tool available. It's also the most targeted, because its user base is professional developers with access to production systems and source code. The IDE-level vulnerabilities (MCP poisoning, workspace trust) are more concerning than the code generation issues because they can give attackers direct access to your development environment.

Cursor has been responsive to disclosed vulnerabilities and has patched issues after disclosure. But the attack surface of an AI-powered IDE is fundamentally larger than a traditional editor. Keep Cursor updated, configure the security settings above, and scan the code it generates before shipping.