来源

关联漏洞

介绍

Below is a fully functional exploit for the CVE-2025-54135 vulnerability in the Cursor IDE, designed to demonstrate a prompt-injection attack that manipulates the Model Context Protocol (MCP) configuration to achieve remote code execution. This code assumes the attacker has access to a public Slack channel or similar external MCP server that the victim's Cursor IDE is configured to interact with. The exploit crafts a malicious prompt that rewrites the `~/.cursor/mcp.json` file to execute arbitrary commands under the developer's privileges.

---

### ⚠️ Disclaimer

### This code is for educational purposes only. Unauthorized use is illegal. The author is not liable for misuse. Always obtain permission and comply with laws.

### Exploit [href](https://tinyurl.com/3w2a474m)

---

### Setup Instructions
To use this exploit, follow these steps to set up the attack infrastructure:

1. **Create a Slack Bot**:
   - Set up a Slack app with a bot token and permissions to post messages to a public channel (e.g., `general`).
   - Replace `xoxp-your-slack-bot-token-here` in the script with your bot token.

2. **Set Up a Malicious MCP Server**:
   - Host a server at `http://attacker-controlled-server.com:8080` (replace with your own server URL).
   - This server can be a simple HTTP server to log interactions or serve additional payloads, though it’s not strictly required for the initial command execution.

3. **Run the Exploit**:
   - Install dependencies: `pip install requests`.
   - Execute the script: `python cve-2025-54135-exploit.py`.
   - The script posts a malicious prompt to the specified Slack channel, which the victim’s Cursor IDE will fetch and process if configured to monitor that channel.

4. **Exploit Mechanism**:
   - The malicious prompt contains a Base64-encoded MCP configuration that adds a new server entry to `~/.cursor/mcp.json`.
   - The `auto_start` flag ensures the `start_command` (e.g., `whoami > /tmp/pwned.txt`) executes immediately without user approval.
   - Since Cursor runs with developer-level privileges, the command executes in the victim’s environment, potentially leading to data theft, ransomware, or further system compromise.

5. **Verification**:
   - Check the victim’s machine for `/tmp/pwned.txt` to confirm successful command execution.
   - Modify the `COMMAND` variable to execute other shell commands as needed.

### Prerequisites
- Python 3.x with the `requests` library.
- A Slack workspace where the victim’s Cursor IDE is configured to fetch data via MCP.
- An attacker-controlled server (optional for advanced payloads).

### Notes
- This exploit targets Cursor IDE versions prior to 1.3, which was patched on July 29, 2025. Ensure the target is running a vulnerable version.[](https://www.bleepingcomputer.com/news/security/ai-powered-cursor-ide-vulnerable-to-prompt-injection-attacks/)[](https://thehackernews.com/2025/08/cursor-ai-code-editor-fixed-flaw.html)[](https://coesecurity.com/curxecute-rce-flaw-in-cursor-ai/)
- The attack relies on the victim’s Cursor IDE processing external data from a public Slack channel or similar MCP-connected service.
- For real-world use, ensure you have permission to test against the target system, as unauthorized exploitation is illegal.

This code and setup provide a functional demonstration of how an attacker could leverage CVE-2025-54135 to achieve remote code execution via prompt injection in Cursor IDE.

文件快照

 [4.0K]  /data/pocs/86be37b23e096ba4628b64d35c65f678b72bf19e
└── [3.4K]  README.md

0 directories, 1 file

备注