CVE-2025-64109: 
Cursor IDE vulnerability analysis and mitigation

CVE-2025-64109 affects Cursor, a code editor built for programming with AI. The vulnerability was discovered in the Cursor CLI Beta and disclosed on November 3, 2025. The issue allows attackers to achieve remote code execution through the MCP (Model Context Protocol) server mechanism by uploading a malicious MCP configuration in .cursor/mcp.json file in a GitHub repository. All versions prior to 2025.09.17-25b418f are affected (GitHub Advisory).

The vulnerability is classified as a Command Injection vulnerability (CWE-78) with a CVSS v3.1 score of 8.8 (High). The attack vector is Network-based (AV:N) with Low attack complexity (AC:L), requiring no privileges (PR:N) but does need user interaction (UI:R). The scope is Unchanged (S:U) with High impact on Confidentiality, Integrity, and Availability (C:H/I:H/A:H). The vulnerability stems from improper neutralization of special elements used in OS commands, allowing malicious MCP configurations to execute arbitrary commands (GitHub Advisory).

When successfully exploited, the vulnerability allows attackers to achieve remote code execution on the victim's system. The attack can be triggered as soon as a victim clones an affected project and opens it using Cursor CLI, with the malicious command being executed immediately without any warning (GitHub Advisory).

The vulnerability has been patched in version 2025.09.17-25b418f. The fix implements a security prompt that requires user confirmation before enabling MCP servers. Users are advised to upgrade to the patched version immediately. No workarounds were provided for earlier versions (GitHub Advisory).