CVE-2025-64109
Published: 05 November 2025
Description
Adversaries may exploit software vulnerabilities in client applications to execute code.
Security Summary
CVE-2025-64109 is a remote code execution vulnerability (CWE-78) in the Cursor CLI Beta, a code editor designed for programming with AI. The flaw resides in the MCP (Model Context Protocol) server mechanism, where a malicious MCP configuration can be placed in a .cursor/mcp.json file within a GitHub repository. It affects versions prior to 2025.09.17-25b418f and has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).
An attacker who controls a GitHub repository can exploit this by uploading a malicious .cursor/mcp.json file. A victim using a vulnerable version of Cursor CLI Beta who clones the repository and opens the project will have the command to run the malicious MCP server executed immediately without any warning, enabling arbitrary code execution on the victim's machine.
The issue is addressed in Cursor version 2025.09.17-25b418f. Additional details are available in the vendor's security advisory at https://github.com/cursor/cursor/security/advisories/GHSA-4hwr-97q3-37w2.
Details
- CWE(s)
AI Security Analysis
- AI Category
- AI Agent Protocols and Integrations
- Risk Domain
- Supply Chain and Deployment
- OWASP Top 10 for LLMs 2025
- None mapped
- MITRE ATLAS Techniques
- None mapped
- Classification Reason
- The vulnerability affects Cursor, an AI code editor, specifically through the MCP (Model Context Protocol) server mechanism via a malicious .cursor/mcp.json configuration file, which is a protocol for model context integration in AI agents.
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability enables RCE via malicious .cursor/mcp.json in GitHub repo, exploiting Cursor CLI's automatic command execution on project open, facilitating supply chain compromise of development tools/repos and client-side exploitation.