How to use python with the Cursor IDE

How-to-Python-in-Cursor.md

How to use python with the Cursor AI IDE

Cursor.app has a critical vulnerability that should be taken seriously!

Please see my post below on this as sooon as possible! https://gist.github.com/joeblackwaslike/752b26ce92e3699084e1ecfc790f74b2?permalink_comment_id=5716065#gistcomment-5716065

Newer versions are slightly different

There are newer changes to cursor which make the older instructions no longer work. After editing the product.json file and even resigning, cursor complains about the code signature no longer validating and will not launch. In the comments @realdimas has found a new way to get pylance in the latest versions using a script he has made availasble. Be sure to thank him, I'm unable to achieve optimal results but will update.

Version details

Version: 1.2.4 (Universal) VSCode Version: 1.99.3 Commit: a8e95743c5268be73767c46944a71f4465d05c90 Date: 2025-07-10T16:55:16.443Z (2 wks ago)

Instructions

1. download the latest cursor version (1.2.4+).
2. Then run the following in your terminal: (you'll need uv)

uv run --script https://gist.githubusercontent.com/realdimas/c025cdba50cc05e0f644eb71bf7efbb9/raw/pylance_patcher.py

3. Next drag the patched pylance extension created in the directory you ran the above command and drag it into the extensions tab in your new cursor.

Older versions can be more easily patched, here is the version details that worked for me

Version: 0.49.6 VSCode Version: 1.96.2 Commit: 0781e811de386a0c5bcb07ceb259df8ff8246a50 Date: 2025-04-25T05:07:16.071Z (3 mos ago)

We are going to edit cursors settings to point to the microsoft extensions marketplace.

1. Remove all extensions and exit Cursor.
2. Locate your Cursor project.json file depending on your platform and open it.
   • On MacOS: /Applications/Cursor.app/Contents/Resources/app/product.json
   • On Windows: C:\Users\<user_name>\AppData\Local\Programs\cursor\resources\app\product.json
   • On Linux: /usr/lib/code/product.json
3. Locate the object value for key extensionsGallery in the json document.

Contents of extensionsGallery key in product.json for Cursor

{
    "galleryId": "cursor",
    "serviceUrl": "https://marketplace.cursorapi.com/_apis/public/gallery",
    "itemUrl": "https://marketplace.cursorapi.com/items",
    "resourceUrlTemplate": "https://marketplace.cursorapi.com/{publisher}/{name}/{version}/{path}",
    "controlUrl": "",
    "recommendationsUrl": "",
    "nlsBaseUrl": "",
    "publisherUrl": ""
}

4. Edit it to look like this:

{
    "galleryId": "cursor",
    "serviceUrl": "https://marketplace.visualstudio.com/_apis/public/gallery",
    "itemUrl": "https://marketplace.visualstudio.com/items",
    "resourceUrlTemplate": "https://{publisher}.vscode-unpkg.net/{publisher}/{name}/{version}/{path}",
    "controlUrl": "",
    "recommendationsUrl": "",
    "nlsBaseUrl": "",
    "publisherUrl": ""
}

5. Reopen Cursor.app and install the following extensions:
   • ms-python.python
   • ms-python.vscode-pylance
   • ms-python.debugpy
6. Make sure in your settings that python.languageServer is set to "Pylance"
7. Re-sign Cursor.app (for MacOS)

codesign --force --deep --sign - /Applications/Cursor.app

Enjoy!

PS: you may need to goto your settings.json to remove any theme settings, because having a broken theme looks exactly like this same problem. In my case cursor had copied over my settings from vscode and they pointed to a theme that wasn't yet installed in cursor, removing and then setting the theme manually worked when I though for sure I had broken it again.

Warning

I just received an email about a serious security vulnerability in cursor that allows attackers RCE via prompt injection!

Critical info

• Severity: High! (8.6/10)
• CVE ID: CVE-2025-54135
• Affected versions: <= 1.2.1
• Patched versions: 1.3.9+

The good news is it's been patched since version 1.3.9+. Check your cursor version now to see whether you're affected!

Accessing cursor version

• MacOs: just use the menubar the menubar Cursor > About Cursor.
• Windows: I have no idea, but chime in if you know and can provide this. 💁
• Linux: I assume you already know three ways to accomplish. My surface-linux thingy does not have cursor installed. 😂

Advice

First, this is way above my paygrade but I can give you a few suggestions.

• If you are affected you should close cursor immediately and start assessing the extent, if any, that you were compromised.
• Check ~/.cursor/mcp.json and any mcp servers you use.
• Check your logs/dmesg for anything fucky, inspect your running processes, and look for recent changes to critical system files and/or those of your repositories.

How to fix

Simple answer is to just replace your existing cursor with the latest release.... But tbh the official python support is not great. That's why this place exists. This may take some time because there is a lot to document for this process, and I have only recently figured out the most straightforward and optimal way to patch the latest versions of cursor, specifically version 1.4.4, which will be the focus from here on out.

TLDR; It's non trivial but I have used some excellent scripts from @realdimas which help automate a lot of the complexity, especially across various versions of cursor which require very different approaches. I have also developed some of my own scripts that automate the grunt work of downloading and installing extensions from both the MS marketplace as well as cursors marketplace, etc. I need some time to gather all of these things together, refine them, document them, and make one cohesive set of instructions that can be easily followed by everyone. If you want to help contribute to this effort, reach out, and stay tuned to this space over the next few days.

Sources for more info

• https://thehackernews.com/2025/08/cursor-ai-code-editor-fixed-flaw.html
• GHSA-4cxx-hrm3-49rm