CVE-2025-55012
BaseFortify
Publication date: 2025-08-11
Last updated on: 2025-08-12
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zed | zed | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Zed, a multiplayer code editor, allowed an AI agent in the Zed Agent Panel to bypass user permission checks and achieve Remote Code Execution (RCE). Specifically, the AI agent could create or modify a project-specific configuration file, which would lead to the execution of arbitrary commands on the victim's machine without the user's explicit approval. This issue was fixed in version 0.197.3.
How can this vulnerability impact me? :
If exploited, this vulnerability could allow an attacker using an AI agent to execute arbitrary commands on your machine without your explicit permission. This could lead to unauthorized changes, data loss, or compromise of your system's security.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update Zed to version 0.197.3 or later where the issue is patched. As a workaround, avoid sending prompts to the Agent Panel or limit the AI Agent's file system access to prevent exploitation.