A serious flaw is detected that lets hackers use hacked MCP (Model Context Protocol) servers to insert malicious code into Cursor’s embedded browser.
Because Cursor lacks integrity checks for its proprietary features, it is more vulnerable to manipulation than Visual Studio Code.
The attack starts when a user uses Cursor’s configuration file to download and register a malicious MCP server. The rogue server directly injects arbitrary JavaScript into Cursor’s internal browser environment once it is activated.
Attackers can alter unverified code during server registration by taking advantage of the lack of checksum checking.
The injection mechanism entirely overwrites the page and gets over UI-level security checks by substituting attacker-controlled HTML for “document.body.innerHTML.”
This makes it possible for attackers to present dangerous content or convincingly phony login pages without drawing attention to themselves.
By developing a proof-of-concept that collected user credentials via a phony login page and sent them to a distant server, Knostic researchers were able to show this vulnerability.
Attackers might have full access to a developer’s workstation and company network with the stolen credentials. Users only need to restart Cursor and enable the MCP server to launch the attack.
After it launches, the malicious code remains active in all browser tabs within the IDE, providing attackers with continuous access to the system.
A significant threat to the developer ecosystem is highlighted by this vulnerability. Because MCP servers need extensive system permissions to operate, compromised servers can alter system components, elevate privileges, and carry out unauthorized actions without the user’s knowledge.
The Knostic research claims that the hazard goes beyond specific developers. Because rogue MCP servers, IDE extensions, and prompts can run code on developer machines—now the new security perimeter—organizations face serious supply chain threats.
