Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2026-25805 is a moderate severity vulnerability affecting Zed Editor versions prior to 0.219.4. The vulnerability exists because Zed does not display the parameter values used when invoking Modular Command Protocol (MCP) tools, neither at the time of user confirmation nor after the tool has been executed.'}, {'type': 'paragraph', 'content': 'This design flaw prevents users from detecting "tool poisoning," a form of indirect prompt injection where an attacker manipulates the AI agent to call tools with malicious or unintended parameter values without the user\'s knowledge.'}, {'type': 'paragraph', 'content': 'As a result, users cannot verify or reject potentially harmful tool invocations since the parameters are not visible in the chat history or confirmation prompts.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability can lead to high confidentiality, integrity, and availability risks. An attacker with network access and high privileges can coerce the AI into using specific malicious parameters without the user's knowledge."}, {'type': 'paragraph', 'content': 'This may result in unauthorized data access, data modification, or other harmful actions executed by the AI tools, potentially compromising the security and reliability of the system.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability involves Zed Editor not displaying the parameters used when invoking MCP tools, which prevents users from detecting malicious or unintended parameter values. Detection relies on verifying whether the Zed Editor version in use is prior to 0.219.4, as those versions lack the feature to show tool call parameters.'}, {'type': 'paragraph', 'content': "Since the vulnerability is related to the application's UI behavior and parameter visibility rather than network traffic patterns, there are no specific network or system commands provided to detect it directly."}, {'type': 'paragraph', 'content': 'To detect if your system is vulnerable, check the installed Zed Editor version using commands appropriate to your environment, for example:'}, {'type': 'list_item', 'content': 'Run `zed --version` or check the application about page to determine the version.'}, {'type': 'list_item', 'content': 'Review application logs or update history to confirm if version 0.219.4 or later is installed.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to update the Zed Editor to version 0.219.4 or later, which includes a patch that introduces expandable tool call details showing parameter values during tool invocation.

This update enables users to detect and prevent tool poisoning attacks by making parameter values visible both at confirmation and after tool execution.

Additionally, ensure that only trusted MCP servers are used and restrict network access to prevent attackers from coercing the AI into using malicious parameters.

Maintain the principle of least privilege and require user interaction for tool invocations to reduce the risk of exploitation.

Useful 0 Not Useful 0