CVE-2025-68433
Arbitrary Code Execution in Zed IDE via Malicious MCP Settings
Publication date: 2025-12-17
Last updated on: 2026-02-19
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zed | zed | to 0.218.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the contents of the `settings.json` file located in the `.zed` subdirectory of project folders opened in the Zed IDE. Look for any suspicious or unexpected shell commands within the MCP configuration in these files. Since the vulnerability triggers arbitrary shell commands automatically when opening a project, reviewing these files before opening projects is recommended. There are no specific network detection commands provided. A suggested command to check for potentially malicious content could be: `grep -r --include=settings.json 'shell' ./path/to/projects/.zed/` to search for shell commands in the settings.json files. Additionally, verifying the Zed IDE version to ensure it is 0.218.2-pre or later can help confirm if the vulnerability is patched.
Can you explain this vulnerability to me?
This vulnerability in the Zed code editor allows arbitrary code execution. It occurs because Zed loads Model Context Protocol (MCP) configurations from a settings.json file within a project's .zed subdirectory. A malicious MCP configuration can include shell commands that execute on the host system with the same privileges as the user running the IDE. This can happen automatically when opening a project, without additional user interaction. The issue is fixed in version 0.218.2-pre by implementing a worktree trust mechanism.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary shell commands on your system with your user privileges simply by opening a malicious project in the Zed IDE. This could lead to unauthorized access, data theft, system compromise, or other malicious activities depending on the commands executed.
What immediate steps should I take to mitigate this vulnerability?
Update Zed IDE to version 0.218.2-pre or later, which includes a worktree trust mechanism to prevent this vulnerability. As a workaround, carefully review the contents of the project settings files located at './zed/settings.json' within the project's '.zed' subdirectory before opening new projects in Zed to ensure no malicious MCP configurations are present.