If you open a JSON file in Cursor and notice that $schema validation isn’t working — no errors for wrong types, no warnings for unknown properties — you’re not imagining it. Cursor disables remote schema fetching by default. Here’s why, and how to turn it back on.
Why it’s disabled
This is intentional. CVE-2025-49150, published in June 2025, explains why: Cursor’s AI Agent can autonomously write and modify JSON files, and if json.schemaDownload.enable is on, any JSON file containing a $schema field triggers an outbound HTTP GET request without user confirmation. A compromised agent could point $schema at an attacker-controlled URL to exfiltrate data.
Cursor rated it CVSS 5.9 (moderate severity) and shipped the fix in 0.51.0 on May 30, 2025 — turning the feature off by default. Visual Code doesn’t have this restriction because it has no AI agent autonomously writing files.
The fix
Open your Cursor settings (Cmd+, → search for “json”) and add this setting:
{
"json.schemaDownload.enable": true
}After saving, open the Command Palette (Cmd+Shift+P) and run JSON: Clear Schema Cache, then reopen your JSON file. You should see validation errors inline.
⚠️ You’re opting back into behaviour that was disabled for a reason. In a trusted personal workspace this is low risk. In a shared or enterprise workspace where Cursor agents have broad file access, think twice before enabling it globally.
Rather than enabling this setting globally, a safer approach is to enable it per project. Instead of adding it to your user settings, add the setting to a .vscode/settings.json file on the project you want the JSON validation to be enabled. Schema download will then only be active in projects you explicitly opt into.
Leave a Reply to Gutenberg Times: PHP-only blocks, WordCamp Asia, Dev Notes for WordPress 7.0 — Weekend Edition #360 – TRYTON NEWSCancel reply