CVE-2025-54133— Cursor's MCP Install Deeplink Does Not Show Arguments in its User-Dialog

Cursor's MCP Install Deeplink Does Not Show Arguments in its User-Dialog

Cursor is a code editor built for programming with AI. In versions 1.17 through 1.2, there is a UI information disclosure vulnerability in Cursor's MCP (Model Context Protocol) deeplink handler, allowing attackers to execute 2-click arbitrary system commands through social engineering attacks. When users click malicious `cursor://anysphere.cursor-deeplink/mcp/install` links, the installation dialog does not show the arguments being passed to the command being run. If a user clicks a malicious deeplink, then examines the installation dialog and clicks through, the full command including the arguments will be executed on the machine. This is fixed in version 1.3.

N/A

OS命令中使用的特殊元素转义处理不恰当(OS命令注入)

Cursor 操作系统命令注入漏洞

Cursor是Cursor开源的一个 AI 代码编辑器。 Cursor 1.17至1.2版本存在操作系统命令注入漏洞，该漏洞源于MCP深链接处理程序存在信息泄露，可能导致任意系统命令执行。

N/A

N/A