Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-27800 is a Zip Slip (Path Traversal) vulnerability in the Zed code editor's extension archive extraction functionality prior to version 0.224.4."}, {'type': 'paragraph', 'content': 'The vulnerability exists because the `extract_zip()` function does not properly validate ZIP entry filenames for path traversal sequences like `../`. This allows a malicious ZIP archive to write files outside the intended sandbox directory during extraction.'}, {'type': 'paragraph', 'content': "Although Zed attempts to validate the destination directory to keep files within the extension's work directory, it does not validate individual ZIP entry filenames, enabling crafted filenames to escape the sandbox."}, {'type': 'paragraph', 'content': 'The vulnerability affects users who install third-party extensions that download and extract ZIP files, requiring only user interaction to install the extension.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an attacker to write arbitrary files outside the extension's sandbox directory by exploiting path traversal in ZIP archive extraction."}, {'type': 'list_item', 'content': 'Arbitrary file write outside the sandbox'}, {'type': 'list_item', 'content': 'Configuration tampering'}, {'type': 'list_item', 'content': 'Credential theft'}, {'type': 'list_item', 'content': 'Supply chain compromise'}, {'type': 'list_item', 'content': 'Sandbox escape'}, {'type': 'paragraph', 'content': 'The attack requires low complexity, no privileges, but user interaction (installing a malicious extension). The impact is high on integrity but does not affect confidentiality or availability.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if files with path traversal sequences (e.g., filenames containing '../') have been written outside the expected extension sandbox directory after installing or updating Zed extensions."}, {'type': 'paragraph', 'content': "One practical approach is to monitor the extension work directory and its parent directories for unexpected files that should not be present, especially files with names like '../escaped_level1.txt' or '../../escaped_level2.txt' as demonstrated in the proof-of-concept."}, {'type': 'paragraph', 'content': 'You can use commands to search for suspicious files outside the expected directories. For example, on Unix-like systems, you might run:'}, {'type': 'list_item', 'content': "find /path/to/zed/extensions/parent_directory -type f -name '*escaped_level*.txt'"}, {'type': 'list_item', 'content': "grep -r '\\.\\./' /path/to/zed/extensions/"}, {'type': 'paragraph', 'content': 'Additionally, monitoring network traffic for downloads of ZIP archives by extensions and inspecting their contents for path traversal filenames can help detect exploitation attempts.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Zed to version 0.224.4 or later, where the vulnerability has been fixed by adding strict path traversal validation in the ZIP extraction function.

If upgrading is not immediately possible, avoid installing or updating third-party extensions that download and extract ZIP archives, as these are the attack vector.

As a temporary measure, monitor and restrict file writes outside the extension sandbox directory and consider applying file system permissions or sandboxing mechanisms to limit the impact of malicious extensions.

Useful 0 Not Useful 0