: More evidence that AI expands the attack surface
Check Point researchers uncovered a remote code execution bug in popular vibe-coding AI tool Cursor that could allow an attacker to poison developer environments by secretly modifying a previously approved Model Context Protocol configuration, silently swapping it for a malicious command without any user prompt.
on July 29 that fixes the issue and requires user approval every time an MCP Server entry is modified. So if you use the AI-powered code editor, update to run the latest version and ensure you're not giving miscreants complete access to your machine every time you open Cursor. While Cursor addressed the flaw, Check Point thinks the vulnerability highlights a major AI supply chain risk. "The flaw exposes a critical weakness in the trust model behind AI-assisted development environments, raising the stakes for teams integrating LLMs and automation into their workflows," the security shop's research teamis an open-source protocol that Anthropic introduced in November 2024 to allow AI-based systems, like agents and large language models , to connect to external data sources and interact with each other. While MCP does make those processes easier, it also opens the door to a whole new attack surface and related Cursor is an AI integrated development environment that uses LLMs to help write and debug code – and it also requires a certain level of trust, especially in multi-user environments using shared code, configuration files and AI-based plugins. "We set out to evaluate whether the trust and validation model for MCP execution in Cursor properly accounted for changes over time, especially in cases where a previously approved configuration is later modified," Check Point researchers Andrey Charikov, Roman Zaikin and Oded Vanunu"In collaborative development scenarios, such changes are common – and any gaps in validation could lead to command injection, code execution, or persistent compromise," the trio added. And as you can probably guess, the researchers did find such a validation gap and showed how it could be abused by altering an already-approved MCP server configuration to trigger malicious code execution every time a project is opened in Cursor.From A2A to MCP, a look at the protocols that might one day help AI automate you out of a job The team dubbed the vuln “MCPoison”, and it essentially boils down to Cursor's one-time approval for MCP configurations. Once Cursor approves an initial configuration, it trusts all future modifications without requiring any new validation. An attacker could easily exploit this trust by adding a benign MCP configuration with a harmless command to a shared repository, waiting for someone to approve it, and then later changing the same entry so it executes a malicious command, which will then be executed silently on the victim's machine every time Cursor is reopened. The Check Point team also published a proof-of-concept demonstrating this type of persistent remote code execution by first getting a non-malicious MCP command approved and then replacing it with a reverse-shell payload, thus gaining access to the victim's machine every time they open the Cursor project. This vulnerability disclosure is just the first in a series of flaws that Check Point researchers uncovered in developer-focused AI platforms, we're told."As AI-assisted coding tools and LLM-integrated environments continue to shape modern software workflows, CPR will publish further findings that highlight overlooked risks and help raise the security bar across this emerging ecosystem," the trio wrote.From hype to harm: 78% of CISOs see AI attacks alreadyPerplexity AI accused of scraping content against websites’ will with unlisted IP rangesOpenAI removes ChatGPT self-doxing option
United Kingdom Latest News, United Kingdom Headlines
Similar News:You can also read news stories similar to this one that we have collected from other news sources.
MCP vs A2A: AI's Contenders for Inter-Agent CommunicationThis article delves into the differences between Anthropic's Model Context Protocol (MCP) and Google's Agent-to-Agent (A2A) protocol, explaining how they address the challenge of enabling communication between AI agents. Both protocols aim to standardize interactions between AI systems and external resources, but their focus and implementations differ.
Read more »
AWS previews Kiro IDE for developers who are over vibe coding: Delivers specs in the form of user stories
Read more »
Dunelm duvet set that combines a 'classic and boho vibe' gets 50% price slash'This is the second one I have of these. No ironing, always look so fresh and clean. Cannot believe the price!'
Read more »
'Totally walkable' European city with stunning architecture and serene vibeWe discovered impressive architecture, cultural delights and world-class cuisine on a mini-break to this beautiful European capital city
Read more »
Cursor AI YOLO mode lets coding assistant run wild, security firm warns: You only live once, but regret is forever
Read more »
Replit makes vibe-y promise to stop its AI agents making vibe coding disasters: Announces beta for separate production and development databases that will land in a few weeks
Read more »