CVE-2026-27800
Zip Slip Path Traversal in Zed Extension Extraction Allows Sandbox Escape
Publication date: 2026-02-26
Last updated on: 2026-03-04
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zed | zed | to 0.224.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2026-27800 is a Zip Slip (Path Traversal) vulnerability in the Zed code editor's extension archive extraction functionality prior to version 0.224.4."}, {'type': 'paragraph', 'content': 'The vulnerability exists because the `extract_zip()` function does not properly validate ZIP entry filenames for path traversal sequences like `../`. This allows a malicious ZIP archive to write files outside the intended sandbox directory during extraction.'}, {'type': 'paragraph', 'content': "Although Zed attempts to validate the destination directory to keep files within the extension's work directory, it does not validate individual ZIP entry filenames, enabling crafted filenames to escape the sandbox."}, {'type': 'paragraph', 'content': 'The vulnerability affects users who install third-party extensions that download and extract ZIP files, requiring only user interaction to install the extension.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an attacker to write arbitrary files outside the extension's sandbox directory by exploiting path traversal in ZIP archive extraction."}, {'type': 'list_item', 'content': 'Arbitrary file write outside the sandbox'}, {'type': 'list_item', 'content': 'Configuration tampering'}, {'type': 'list_item', 'content': 'Credential theft'}, {'type': 'list_item', 'content': 'Supply chain compromise'}, {'type': 'list_item', 'content': 'Sandbox escape'}, {'type': 'paragraph', 'content': 'The attack requires low complexity, no privileges, but user interaction (installing a malicious extension). The impact is high on integrity but does not affect confidentiality or availability.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if files with path traversal sequences (e.g., filenames containing '../') have been written outside the expected extension sandbox directory after installing or updating Zed extensions."}, {'type': 'paragraph', 'content': "One practical approach is to monitor the extension work directory and its parent directories for unexpected files that should not be present, especially files with names like '../escaped_level1.txt' or '../../escaped_level2.txt' as demonstrated in the proof-of-concept."}, {'type': 'paragraph', 'content': 'You can use commands to search for suspicious files outside the expected directories. For example, on Unix-like systems, you might run:'}, {'type': 'list_item', 'content': "find /path/to/zed/extensions/parent_directory -type f -name '*escaped_level*.txt'"}, {'type': 'list_item', 'content': "grep -r '\\.\\./' /path/to/zed/extensions/"}, {'type': 'paragraph', 'content': 'Additionally, monitoring network traffic for downloads of ZIP archives by extensions and inspecting their contents for path traversal filenames can help detect exploitation attempts.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Zed to version 0.224.4 or later, where the vulnerability has been fixed by adding strict path traversal validation in the ZIP extraction function.
If upgrading is not immediately possible, avoid installing or updating third-party extensions that download and extract ZIP archives, as these are the attack vector.
As a temporary measure, monitor and restrict file writes outside the extension sandbox directory and consider applying file system permissions or sandboxing mechanisms to limit the impact of malicious extensions.