CVE-2025-64106
Published: 04 November 2025
Description
Adversaries may exploit vulnerabilities to evade detection by hiding activity, suppressing logging, or operating within trusted or unmonitored components.
Security Summary
CVE-2025-64106 is an input validation vulnerability (CWE-78: OS Command Injection) affecting Cursor, an AI-powered code editor for programming, in versions 1.7.28 and below. The flaw exists in Cursor's MCP server installation process, where specially crafted deep-links can bypass standard security warnings. This allows attackers to conceal the commands that would be executed if a user accepts the server installation prompt.
The attack requires an attacker to convince a victim to navigate to a malicious deep-link, typically via social engineering such as phishing. A remote, unauthenticated attacker (PR:N) with network access (AV:N) can exploit this with low complexity (AC:L), though it requires user interaction (UI:R) to accept the altered speedbump modal. Successful exploitation leads to high-impact arbitrary command execution on the victim's system (C:H/I:H/A:H), with a CVSS v3.1 base score of 8.8.
For mitigation details, including patches and advisories, refer to the GitHub Security Advisory at https://github.com/cursor/cursor/security/advisories/GHSA-4575-fh42-7848. The vulnerability was published on 2025-11-04.
Details
- CWE(s)
Affected Products
AI Security Analysis
- AI Category
- Other Platforms
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- Cursor is an AI-powered code editor designed for programming with AI, featuring integrations like MCP servers for AI tools, fitting the Enterprise AI Assistants category.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
CVE enables OS command injection (T1059) via crafted deep-links exploiting client app vuln (T1203), tricking users into execution (T1204.001), and bypassing security warnings (T1211).