CVE-2025-68432
Unknown Unknown - Not Provided
Arbitrary Code Execution in Zed IDE via Malicious LSP Configurations

Publication date: 2025-12-17

Last updated on: 2026-02-19

Assigner: GitHub, Inc.

Description
Zed, a code editor, has an aribtrary code execution vulnerability in versions prior to 0.218.2-pre. The Zed IDE loads Language Server Protocol (LSP) configurations from the `settings.json` file located within a project’s `.zed` subdirectory. A malicious LSP configuration can contain arbitrary shell commands that run on the host system with the privileges of the user running the IDE. This can be triggered when a user opens project file for which there is an LSP entry. A concerted effort by an attacker to seed a project settings file (`./zed/settings.json`) with malicious language server configurations could result in arbitrary code execution with the user's privileges if the user opens the project in Zed without reviewing the contents. Version 0.218.2-pre fixes the issue by implementing worktree trust mechanism. As a workaround, users should carefully review the contents of project settings files (`./zed/settings.json`) before opening new projects in Zed.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-17
Last Modified
2026-02-19
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-68432
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zed zed to 0.218.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Zed, a code editor, allows arbitrary code execution due to how it loads Language Server Protocol (LSP) configurations from a project's settings.json file in the .zed subdirectory. A malicious LSP configuration can include shell commands that execute on the host system with the user's privileges when the user opens a project file with such an LSP entry. This can happen if an attacker seeds a project settings file with malicious configurations and the user opens the project without reviewing the settings.

Impact Analysis

If exploited, this vulnerability can allow an attacker to execute arbitrary code on your system with the same privileges as the user running the Zed IDE. This could lead to unauthorized actions such as data theft, system compromise, or further malware installation, depending on the user's permissions.

Detection Guidance

This vulnerability can be detected by inspecting project directories for the presence of a `.zed/settings.json` file containing suspicious or untrusted Language Server Protocol (LSP) configurations that may include arbitrary shell commands. Since the vulnerability is triggered when opening projects with malicious LSP entries, reviewing the contents of these settings files before opening projects is essential. There are no specific network detection commands provided. A suggested command to find such files is: `find /path/to/projects -type f -path '*/.zed/settings.json' -exec cat {} \;` to review their contents manually.

Mitigation Strategies

Immediate mitigation steps include upgrading Zed to version 0.218.2-pre or later, which implements a worktree trust mechanism to prevent this issue. As a workaround, users should carefully review the contents of project settings files (`./zed/settings.json`) before opening new projects in Zed to ensure no malicious LSP configurations are present.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-68432. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart