Cursor MCPoison tool descriptor injection (CVE-2025-54136)
The MCPoison issue in Cursor showed that malicious tool descriptions could steer agent behavior through descriptor injection.
Affected systems
Coding agents, MCP deployments
Primary threats
Tool Misuse, Indirect Prompt Injection
Impact types
Instruction steering, Potential downstream code execution
CVEs
Not specified
What an auditor should now check
- Test poisoned descriptors against real tool invocation paths
- Check whether the runtime distinguishes tool schema from tool marketing text
- Verify that dangerous actions require parameter-level policy checks
Why this matters
This demonstrates that prose policy and tool metadata can function as authorization logic when the runtime lacks robust separation.
What happened
Cursor accepted maliciously crafted tool descriptions that could steer agent behavior. The exploit path ran through semantic trust in the descriptor layer.
Why the classification matters
This is not just UI text abuse. It is a control-plane failure where metadata influenced authority-bearing behavior.
What an auditor should now check
- Whether tool text is treated as trusted guidance
- Whether execution-time policy survives poisoned descriptors
- Whether the runtime logs descriptor versions and changes
Zealynx takeaway
If a tool description can change model behavior materially, it belongs in threat modeling and incident logging.
Control implications
- Sanitize and constrain tool descriptor text before model consumption
- Treat descriptor diffs as security-relevant events
- Keep high-risk actions behind execution-time validation, not descriptor trust
Affected systems
- Coding agents
- MCP deployments
Impact types
- Instruction steering
- Potential downstream code execution