CVE-2025-61591

CVE-2025-61591 is a command injection vulnerability (CWE-78) affecting Cursor, an AI-powered code editor for programming, in versions 1.7 and below. The flaw occurs when the MCP component uses OAuth authentication with an untrusted MCP server, allowing an attacker to impersonate a malicious server and inject crafted commands during the authentication interaction process. This leads to potential remote code execution on the affected host.

An attacker with network access can exploit this vulnerability without prior privileges by tricking a user into authenticating via OAuth to a malicious MCP server (user interaction required, per CVSS UI:R). Successful exploitation enables arbitrary command injection by the agent, resulting in remote code execution with full user privileges on the host system, compromising confidentiality, integrity, and availability (CVSS 8.8: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

The GitHub security advisory at https://github.com/cursor/cursor/security/advisories/GHSA-wj33-264c-j9cq notes no fixed release version is available yet, but a patch (2025.09.17-25b418f) has been issued for remediation. Security practitioners should apply this patch promptly and avoid using untrusted MCP servers with OAuth in Cursor installations.

Cursor's integration of AI for programming introduces relevance to AI/ML workflows, as exploitation could target developer environments handling AI model code or data. No public reports of real-world exploitation are available as of the CVE publication on 2025-10-03.