OAuth Authentication Vulnerability in Cursor Code Editor by Cursor
CVE-2025-61591

8.8HIGH

Key Information:

Vendor: Cursor
Status: Cursor
Vendor: CVE Published:; 3 October 2025

What is CVE-2025-61591?

The Cursor code editor, used for programming with AI, contains a command injection vulnerability in versions 1.7 and below. This occurs when the editor utilizes OAuth authentication with a potentially untrusted MCP server. Malicious actors can exploit this flaw to impersonate the MCP server, delivering crafted commands during user interactions. If successful, an attacker can execute arbitrary commands on the host system, compromising it by gaining full user privileges. Currently, no stable version addresses this issue, although a patch (2025.09.17-25b418f) is available to mitigate the risk.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

cursor <= 1.7

References

https://github.com/cursor/cursor/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Oct 3, 2025
Vulnerability Reserved
Sep 26, 2025

JSON

Cursor

What is CVE-2025-61591?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.