Hello Cursor Team,
I am writing to report a major loophole I’ve discovered in the current build of Cursor. There is a critical vulnerability involving the Model Context Protocol (MCP) integration that allows users to bypass token and context limits entirely.
Vulnerability Description: When a user routes their connection through MCP, it leverages the persistent session and listening capabilities in an unintended way. This creates an indefinite connection that locks Cursor into the current workspace context without ever forcing a refresh, dropping the connection, or applying standard context truncation.
The Impact: Users are essentially able to exploit this as an “infinite token” glitch. Because the context never breaks, users do not have to re-send background prompts or rebuild context for massive projects. While the continuity is great, it completely bypasses your standard usage limits. I imagine this could lead to massive API abuse, token hoarding, and unexpected backend costs for your team, as users can theoretically keep an endless context window open for free.
Summary of Exploit:
-
Connect and route the development environment through MCP.
-
Utilize its persistent listening feature to keep the session alive indefinitely.
-
The user can now process thousands of lines of code and cross-file logic without ever hitting standard token caps or being forced to start a new chat.
I strongly recommend investigating the way Cursor handles context lifecycle and token metering when connected via MCP. This is a massive loophole that could easily be abused by high-frequency developers.
Please let me know if you need more specific configuration details or reproduction steps to help patch this issue.
Best regards,