Unrated severityNVD Advisory· Published Aug 1, 2025· Updated Aug 4, 2025

Cursor's MCP Install Deeplink Does Not Show Arguments in its User-Dialog

CVE-2025-54133

Description

Cursor is a code editor built for programming with AI. In versions 1.17 through 1.2, there is a UI information disclosure vulnerability in Cursor's MCP (Model Context Protocol) deeplink handler, allowing attackers to execute 2-click arbitrary system commands through social engineering attacks. When users click malicious cursor://anysphere.cursor-deeplink/mcp/install links, the installation dialog does not show the arguments being passed to the command being run. If a user clicks a malicious deeplink, then examines the installation dialog and clicks through, the full command including the arguments will be executed on the machine. This is fixed in version 1.3.

Affected products

Getcursor/Cursorllm-fuzzy
Range: >=1.17, <=1.2
cursor/cursorv5
Range: >= 1.17, < 1.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/cursor/cursor/security/advisories/GHSA-r22h-5wp2-2wfvmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000