Description
Cursor is a code editor built for programming with AI. In versions 1.7.28 and below, an input validation flaw in Cursor's MCP server installation enables specially crafted deep-links to bypass the standard security warnings and conceal executed commands from users if they choose to accept the server. If an attacker is able to convince a victim to navigate to a malicious deeplink, the victim will not see the correct speedbump modal, and if they choose to accept, will execute commands specified by the attackers deeplink.
Problem types
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Product status
References
github.com/...cursor/security/advisories/GHSA-4575-fh42-7848
