MCPoison: Vulnerability in Cursor IDE – Execute arbitrary code via MCP

Check Point warns of a now fixed MCP vulnerability in the Cursor IDE that allows attackers to execute arbitrary code on a victim's computer. The vulnerability is particularly relevant in multi-user environments and repositories.

In the case of the vulnerability named MCPoison by the security analysts, which affects the Model Contex protocol, attackers exploit a negligent check of authorizations, as Cursor can only approve each MCP connection once and then never again. However, perpetrators can change the corresponding configuration afterwards and redirect it to any commands and other sources. The risk is particularly high if several users have access to the configuration, for example in a shared repository.

Simple change in the JSON script

Cursor IDE saves the MCP configuration in the .cursor/rules/mcp.json file, as shown in the following illustration:

If this is in a repository, an attacker can easily add a new MCP source with an innocuous command. The next time the IDE is started, it asks the victim once to confirm the harmless source. Once this is done, the attacker can customize the JSON as desired, something like in the following image:

Each time Cursor is started, it executes the new code without being asked; the check is only performed using the name of the server entered in the script.

Cursor fixed the vulnerability on July 29 with version 1.3, users should update to this version. Check Point generally recommends versioning and monitoring configuration files in repositories. Write permissions should also be restricted.

The Heise conference on secure software development

heise devSec 2025 will take place in Regensburg on September 30 and October 1. The conference, organized by iX, heise Security and dpunkt.verlag, will focus on topics such as threat modeling, software supply chain, OAuth, ASPM, Kubernetes and the influence of GenAI on security.

(who)