CVE-2025-54133

Cursor is a code editor built for programming with AI. In versions 1.17 through 1.2, there is a UI information disclosure vulnerability in Cursor's MCP (Model Context Protocol) deeplink handler, allowing attackers to execute 2-click arbitrary system commands through social engineering attacks. When users click malicious `cursor://anysphere.cursor-deeplink/mcp/install` links, the installation dialog does not show the arguments being passed to the command being run. If a user clicks a malicious deeplink, then examines the installation dialog and clicks through, the full command including the arguments will be executed on the machine. This is fixed in version 1.3.

CVSS

No CVSS.

References

Link	Resource
https://github.com/cursor/cursor/security/advisories/GHSA-r22h-5wp2-2wfv

Configurations

No configuration.

History

04 Aug 2025, 15:06

Type	Values Removed	Values Added
Summary		(es) Cursor es un editor de código creado para programar con IA. En las versiones 1.17 a 1.2, existe una vulnerabilidad de divulgación de información de la interfaz de usuario en el controlador de enlaces profundos MCP (Protocolo de Contexto de Modelo) de Cursor, que permite a los atacantes ejecutar comandos arbitrarios del sistema con dos clics mediante ataques de ingeniería social. Cuando los usuarios hacen clic en enlaces maliciosos `cursor://anysphere.cursor-deeplink/mcp/install`, el cuadro de diálogo de instalación no muestra los argumentos que se pasan al comando que se está ejecutando. Si un usuario hace clic en un enlace profundo malicioso, examina el cuadro de diálogo de instalación y lo completa, se ejecutará el comando completo, incluidos los argumentos, en el equipo. Esto se ha corregido en la versión 1.3.

02 Aug 2025, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-08-02 00:15

Updated : 2025-08-04 15:06

NVD link : CVE-2025-54133

Mitre link : CVE-2025-54133

CVE.ORG link : CVE-2025-54133

JSON object : View

Products Affected

No product.

CWE

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

{"id": "CVE-2025-54133", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-08-02T00:15:25.050", "references": [{"url": "https://github.com/cursor/cursor/security/advisories/GHSA-r22h-5wp2-2wfv", "source": "security-advisories@github.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-78"}, {"lang": "en", "value": "CWE-200"}]}], "descriptions": [{"lang": "en", "value": "Cursor is a code editor built for programming with AI. In versions 1.17 through 1.2, there is a UI information disclosure vulnerability in Cursor's MCP (Model Context Protocol) deeplink handler, allowing attackers to execute 2-click arbitrary system commands through social engineering attacks. When users click malicious `cursor://anysphere.cursor-deeplink/mcp/install` links, the installation dialog does not show the arguments being passed to the command being run. If a user clicks a malicious deeplink, then examines the installation dialog and clicks through, the full command including the arguments will be executed on the machine. This is fixed in version 1.3."}, {"lang": "es", "value": "Cursor es un editor de c\u00f3digo creado para programar con IA. En las versiones 1.17 a 1.2, existe una vulnerabilidad de divulgaci\u00f3n de informaci\u00f3n de la interfaz de usuario en el controlador de enlaces profundos MCP (Protocolo de Contexto de Modelo) de Cursor, que permite a los atacantes ejecutar comandos arbitrarios del sistema con dos clics mediante ataques de ingenier\u00eda social. Cuando los usuarios hacen clic en enlaces maliciosos `cursor://anysphere.cursor-deeplink/mcp/install`, el cuadro de di\u00e1logo de instalaci\u00f3n no muestra los argumentos que se pasan al comando que se est\u00e1 ejecutando. Si un usuario hace clic en un enlace profundo malicioso, examina el cuadro de di\u00e1logo de instalaci\u00f3n y lo completa, se ejecutar\u00e1 el comando completo, incluidos los argumentos, en el equipo. Esto se ha corregido en la versi\u00f3n 1.3."}], "lastModified": "2025-08-04T15:06:15.833", "sourceIdentifier": "security-advisories@github.com"}