CVE-2026-27976
Symlink Traversal in Zed Extension Installer Enables Code Execution
Publication date: 2026-02-26
Last updated on: 2026-03-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zed | zed | to 0.224.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-61 | The product, when opening a file or directory, does not sufficiently account for when the file is a symbolic link that resolves to a target outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability affects Zed, a code editor, specifically its extension installer that downloads and extracts tar/gzip archives. Prior to version 0.224.4, the tar extractor (async_tar::Archive::unpack) creates symbolic links (symlinks) from the archive without validating their targets. The path guard function only performs lexical prefix checks without resolving symlinks or canonicalizing paths.'}, {'type': 'paragraph', 'content': 'An attacker can craft a malicious tar archive that first creates a symlink inside the extension working directory pointing outside of it (for example, a symlink named "escape" pointing to the root directory "/"). Then, the attacker can write files through this symlink, causing files to be written anywhere on the host filesystem accessible by the user.'}, {'type': 'paragraph', 'content': 'This behavior allows the attacker to escape the extension sandbox and potentially execute arbitrary code on the host system. The issue was patched in version 0.224.4 by adding proper validation to reject or validate symlinks to ensure they remain within the intended extraction directory.'}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can have serious impacts because it allows an attacker to write arbitrary files anywhere writable by the user on the host system.'}, {'type': 'list_item', 'content': 'Overwriting shell configuration files such as ~/.bashrc or ~/.zshrc, which can lead to code execution when the shell starts.'}, {'type': 'list_item', 'content': 'Modifying autostart configurations to execute malicious code automatically.'}, {'type': 'list_item', 'content': 'Hijacking the PATH environment by placing malicious executables in ~/.local/bin.'}, {'type': 'list_item', 'content': 'Altering git hooks or SSH configurations to compromise version control or remote access.'}, {'type': 'paragraph', 'content': "Overall, these impacts can lead to remote code execution and compromise of the host system's confidentiality, integrity, and availability."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by checking if any tar archives extracted by Zed's extension installer contain symlinks that point outside the intended extraction directory. A proof-of-concept involves creating a tar archive with a symlink inside the extension workdir pointing outside (e.g., to /) and then verifying if files are written outside the sandbox."}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of this vulnerability on your system, you can look for unexpected files written outside the extension directory, such as files in /tmp/zed_tar_symlink.txt or modifications to shell configuration files (~/.bashrc, ~/.zshrc), autostart configurations, or other user-writable paths.'}, {'type': 'list_item', 'content': 'Use commands to find suspicious symlinks in extracted directories, for example: `find /path/to/zed/extensions -type l -ls` to list symlinks and verify their targets.'}, {'type': 'list_item', 'content': "Check for unexpected files created outside the extension directory, e.g., `ls -l /tmp/zed_tar_symlink.txt` or `find ~ -name '*.bashrc' -exec ls -l {} +` to detect unauthorized modifications."}, {'type': 'list_item', 'content': 'Monitor file system changes in user directories that could indicate writes through symlinks, using tools like `inotifywait` or `auditd` to track file creation or modification events.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Zed to version 0.224.4 or later, where the vulnerability has been patched by validating symlinks and canonicalizing paths before extraction.
If upgrading is not immediately possible, avoid extracting tar archives from untrusted sources using the vulnerable extension installer, or manually inspect tar files for malicious symlinks before extraction.
Implement additional file system monitoring to detect suspicious writes outside expected directories and restrict user permissions to limit the impact of potential exploitation.