DeepJack: hidden arguments in Cursor's MCP-install deeplink reach RCE
A crafted cursor:// link installs an attacker-controlled MCP server whose real command is scrolled off-screen in the install dialog, reaching unsandboxed code execution after one click.
In brief Most AI coding-agent security attention goes to prompt injection and MCP supply chains. A write-up published by Adversa AI on July 15, 2026 points at a quieter surface: the
cursor://URL-scheme handler that Cursor registers on install. A crafted deeplink can drive the IDE to install an attacker-controlled MCP server and run an unsandboxed command under the victim’s account after a single click and a single confirmation — because the install dialog does not reliably show the command it is asking you to approve. The researchers name the bug class DeepJack. The underlying dialog issue was acknowledged internally as early as April 27, 2026 and, per the report, still reproduced on Cursor build 3.9.8 at publication.
What is this?
Cursor, like most desktop coding tools, registers a custom URL scheme (cursor://) so that links can drive the IDE: open a file, start a pull-request review, install an MCP server. The install route accepts a server name and a base64-encoded config describing the command to run. That command executes with the developer’s full authority — no sandbox between it and their files, tokens, and shell.
DeepJack is the observation that the confirmation dialog meant to gate this install can be made to hide the very thing the user is approving. It builds on an earlier, publicly disclosed Cursor deeplink flaw (fixed in Cursor 1.3) whose remedy was to surface command arguments in the dialog. The DeepJack research shows that surfacing them is not enough if the dialog renders them in a way the user cannot actually read.
How it works
The report describes two variants of the same weakness. We summarise them conceptually; no working payload is reproduced here.
The first is a rendering weakness in the install dialog. The arguments are shown in a single-line text field. An attacker pads the visible portion with a long run of whitespace/control characters, so a benign-looking token (say, a calculator command) is all that fits on screen while the malicious tail — an outbound [REDACTED] command — scrolls off the right edge. The user reads the harmless prefix and approves; Cursor executes the full string.
The second is trust laundering through a nested deeplink. A second cursor:// install URI is double-URL-encoded and embedded inside the url parameter of a routine-looking pr-review link. The outer link is parsed once as a code-review request and the nested parameter is never recursively re-validated, so the install URI rides through as an opaque string and reaches the install handler downstream. The victim thinks they clicked “review this PR,” not “install a server.”
Stripped of the encoding tricks, this is argument injection through a custom URL-scheme handler (CWE-88) — a decades-old desktop bug class with prior art well outside AI tooling. What is new is where it lands.
Why it matters
The compromised endpoint is a developer workstation: SSH keys, cloud credentials, source code, live session tokens, and a direct path into CI and production. A URL-handler bug that would be a nuisance in a media player is, here, a foothold in the software supply chain.
The likelihood of any single link succeeding is modest — it still requires a click and an approval. The problem is asymmetry: low probability, near-total blast radius. And the surface is largely unwatched. A cross-agent survey in the same report found that most mainstream coding tools (Cursor, VS Code, Windsurf, Warp, and others) register a URL handler, and the majority expose a route that ends in install-or-execute — handlers many security teams did not know were registered at all.
Defenses
You do not need a vendor patch to cut exposure.
- Allowlist MCP servers through managed settings. Permit only named servers from authentic sources (your org or the original maintainer) and block any user- or agent-initiated install of anything else.
- Filter install/execute deeplink routes at the gateway. Block or quarantine the specific install URI patterns (
cursor://…/mcp/install,vscode://mcp/install, Windsurf’s registry install, Warp’swarp://launch/) at the email and web gateways that carry the bait. - Audit and, where possible, disable custom URL-scheme handlers (
cursor://,vscode://,codex://,claude-cli://) on developer machines — start by inventorying which are registered. - Monitor what agents spawn. Alert on any new or changed MCP server definition. The high-value signal — what the user was shown versus what actually executed — needs in-path visibility into the agent’s MCP traffic.
- Treat every deeplink parameter as hostile input, and every consent dialog as insufficient on its own. Keep agents away from untrusted codebases and don’t rely on a single confirmation screen as the whole boundary.
Status
| Item | Reference | Date | Notes |
|---|---|---|---|
| DeepJack disclosure | Adversa AI | 2026-07-15 | Two variants; reproduced on Cursor 3.9.8 |
| Earlier related flaw | CVE-2025-54133 (GHSA-r22h-5wp2-2wfv) | 2025 | Install dialog didn’t show arguments; fixed in Cursor 1.3 |
| Root-cause dialog issue | Cursor triage (per report) | 2026-04-27 | Single-line field lets content scroll off-screen |
| Prior deeplink weaponisation | Proofpoint “CursorJack” | 2025 | Phishing to command execution via install deeplink |
| Vendor status | Reports closed as duplicates | 2026 | Primitive reported live at publication |
The right framing is not “one more Cursor bug.” It is that agentic coding tools have each rebuilt the old “are you sure you want to run this?” prompt from scratch — and are asking it to render attacker-supplied commands safely, on the highest-value machines in an organisation, with nothing behind it.
Sources
- → https://adversa.ai/blog/cursor-security-deepjack-deeplink-vulnerability-mcp-rce/
- → https://nvd.nist.gov/vuln/detail/CVE-2025-54133
- → https://github.com/cursor/cursor/security/advisories/GHSA-r22h-5wp2-2wfv
- → https://www.proofpoint.com/us/blog/threat-insight/cursorjack-weaponizing-deeplinks-exploit-cursor-ide
- → https://cwe.mitre.org/data/definitions/88.html