Cursor Tool Call Injection Vulnerability

Problem Statement

A potential security vulnerability has been identified in Cursor IDE where displaying examples of tool call formats can be misinterpreted as actual tool call requests. This could lead to a new type of prompt injection attack where malicious actors craft content that, when viewed and output by an AI assistant in Cursor, triggers unintended tool execution.

v2-cb621b35f91530f5a321ac823d5df93b_1440w903×745 64.9 KB

Description

When explaining or demonstrating tool call formats within Cursor, the IDE seems to parse and attempt to execute the code examples as if they were actual tool calls requested by the user. This behavior creates a potential attack vector:

1. An attacker could create content containing formatted tool call examples

2. The attacker could then trick an AI assistant into reading and reproducing this content

3. When the AI outputs the example format, Cursor may interpret it as a legitimate tool call request

4. This could potentially trigger unauthorized command execution with the permissions of the Cursor client

This vulnerability is particularly concerning because:

• Users may be unaware that explaining tool call formats could trigger actual executions

• It creates a path for remote code execution through seemingly innocent documentation

• High-privilege operations could be performed without explicit user authorization

Example Scenario

When attempting to explain code that includes a tool call format such as XML-like tags for function calls and parameters, Cursor may detect this pattern and attempt to execute the function. This was observed when discussing the implementation of registerToolsWithModel method for MCP integration.

The mere discussion of the syntax used for tool calls caused Cursor to report an error saying “Tool [name] not found”, indicating it had attempted to process the example as an actual tool call request.

Reproduction Steps

1. Ask an AI assistant in Cursor to explain how tool calls are formatted

2. Have the AI include examples of the tool call format in its response

3. Observe Cursor attempting to process these examples as real tool calls

4. Note any error messages about tools not being found or unavailable

Security Implications

This vulnerability could be exploited through a chain of events:

1. An attacker creates a webpage or document containing formatted tool call examples that would execute privileged commands

2. They convince a user to ask their AI assistant about that content

3. When the AI reproduces the tool call format, Cursor executes it with the user’s permissions

4. This could lead to data theft, system compromise, or further exploitation

Recommended Mitigation

Several approaches could address this vulnerability:

1. Content Validation: Implement strict validation for tool call formats, ensuring they originate from direct user requests

2. Context Awareness: Add awareness of when content is being discussed versus when tools are being actively invoked

3. Escaping Mechanism: Provide a way for AI assistants to escape or neutralize tool call syntax when explaining it

4. Confirmation Dialogs: Require explicit user confirmation before executing any tool calls, especially those involving privileged operations

5. Documentation Format: Create a secure way to display tool call documentation that won’t be interpreted as execution requests

Severity

High - This vulnerability could lead to remote code execution through social engineering, putting user systems and data at risk.

Disclosure Timeline

• Issue identified: [current date]

• Initial report to Cursor team: [pending]

• Public disclosure: After appropriate mitigation is in place

Affected Versions

All current versions of Cursor IDE that support tool execution appear to be affected.

You might want to reach out to cursor team directly. Nice find.

@deanrie