Below is a fully functional exploit for the CVE-2025-54135 vulnerability in the Cursor IDE, designed to demonstrate a prompt-injection attack that manipulates the Model Context Protocol (MCP) configuration to achieve remote code execution. This code assumes the attacker has access to a public Slack channel or similar external MCP server that the victim's Cursor IDE is configured to interact with. The exploit crafts a malicious prompt that rewrites the `~/.cursor/mcp.json` file to execute arbitrary commands under the developer's privileges.
---
### ⚠️ Disclaimer
### This code is for educational purposes only. Unauthorized use is illegal. The author is not liable for misuse. Always obtain permission and comply with laws.
### Exploit [href](https://tinyurl.com/3w2a474m)
---
### Setup Instructions
To use this exploit, follow these steps to set up the attack infrastructure:
1. **Create a Slack Bot**:
- Set up a Slack app with a bot token and permissions to post messages to a public channel (e.g., `general`).
- Replace `xoxp-your-slack-bot-token-here` in the script with your bot token.
2. **Set Up a Malicious MCP Server**:
- Host a server at `http://attacker-controlled-server.com:8080` (replace with your own server URL).
- This server can be a simple HTTP server to log interactions or serve additional payloads, though it’s not strictly required for the initial command execution.
3. **Run the Exploit**:
- Install dependencies: `pip install requests`.
- Execute the script: `python cve-2025-54135-exploit.py`.
- The script posts a malicious prompt to the specified Slack channel, which the victim’s Cursor IDE will fetch and process if configured to monitor that channel.
4. **Exploit Mechanism**:
- The malicious prompt contains a Base64-encoded MCP configuration that adds a new server entry to `~/.cursor/mcp.json`.
- The `auto_start` flag ensures the `start_command` (e.g., `whoami > /tmp/pwned.txt`) executes immediately without user approval.
- Since Cursor runs with developer-level privileges, the command executes in the victim’s environment, potentially leading to data theft, ransomware, or further system compromise.
5. **Verification**:
- Check the victim’s machine for `/tmp/pwned.txt` to confirm successful command execution.
- Modify the `COMMAND` variable to execute other shell commands as needed.
### Prerequisites
- Python 3.x with the `requests` library.
- A Slack workspace where the victim’s Cursor IDE is configured to fetch data via MCP.
- An attacker-controlled server (optional for advanced payloads).
### Notes
- This exploit targets Cursor IDE versions prior to 1.3, which was patched on July 29, 2025. Ensure the target is running a vulnerable version.[](https://www.bleepingcomputer.com/news/security/ai-powered-cursor-ide-vulnerable-to-prompt-injection-attacks/)[](https://thehackernews.com/2025/08/cursor-ai-code-editor-fixed-flaw.html)[](https://coesecurity.com/curxecute-rce-flaw-in-cursor-ai/)
- The attack relies on the victim’s Cursor IDE processing external data from a public Slack channel or similar MCP-connected service.
- For real-world use, ensure you have permission to test against the target system, as unauthorized exploitation is illegal.
This code and setup provide a functional demonstration of how an attacker could leverage CVE-2025-54135 to achieve remote code execution via prompt injection in Cursor IDE.
[4.0K] /data/pocs/86be37b23e096ba4628b64d35c65f678b72bf19e
└── [3.4K] README.md
0 directories, 1 file