CVE Details
Basic Information
| Title | Cursor’s MCP Install Deeplink Does Not Show Arguments in its User-Dialog |
|---|---|
| Type | cve |
| Published | 2025-08-01T23:07:00.592Z |
| Modified | 2025-08-01T23:07:00.592Z |
Product Information
| Vendor | cursor |
|---|---|
| Product | cursor |
| Version | >= 1.17, < 1.3 |
CVSS Information
| Base Score | 5.3 (MEDIUM) |
|---|---|
| Attack Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N |
AI Analysis
| AI Description | A UI information disclosure vulnerability in Cursor’s MCP deeplink handler allows attackers to execute arbitrary system commands via social engineering. This affects versions 1.17 through 1.2 and is fixed in version 1.3. |
|---|---|
| AI Severity | Medium |
| AI Vendor | Cursor |
| AI Product | Cursor Code Editor |
| AI Version | 1.17, <1.3 |
Affected Products
- cursor cursor >= 1.17, < 1.3
Additional Information
| CWE List | CWE-78, CWE-200 |
|---|---|
| Source | GitHub_M |
Description
Cursor is a code editor built for programming with AI. In versions 1.17 through 1.2, there is a UI information disclosure vulnerability in Cursor’s MCP (Model Context Protocol) deeplink handler, allowing attackers to execute 2-click arbitrary system commands through social engineering attacks. When users click malicious `cursor://anysphere.cursor-deeplink/mcp/install` links, the installation dialog does not show the arguments being passed to the command being run. If a user clicks a malicious deeplink, then examines the installation dialog and clicks through, the full command including the arguments will be executed on the machine. This is fixed in version 1.3.