Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash variable expansion chaining (${var@P}), allowing arbitrary command execution under an allowlisted command prefix. This vulnerability is fixed in 0.229.0.
AnalysisAI
{var@P} prompt-string operator. Zed's terminal tool system enforces command-prefix allowlists to control what commands can be executed; the bypass exploits an incomplete input validation list (CWE-184) to chain expansions that resolve to arbitrary shell commands while appearing to match an approved prefix. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, though the RCE-tagged nature and CVSS High confidentiality impact make it a meaningful concern for users relying on Zed's agentic terminal tool permissions.
Technical ContextAI
Zed is a GPU-accelerated code editor developed by Zed Industries (CPE: cpe:2.3:a:zed-industries:zed:*:*:*:*:*:*:*:*) that includes an integrated terminal with an AI-accessible tool permission system, allowing allowlisted command prefixes to be invoked programmatically. The root cause is CWE-184 (Incomplete List of Disallowed Inputs): the permission system checks command prefixes against an allowlist but fails to account for bash parameter transformation syntax - specifically the ${var@P} prompt-string expansion operator and similar chaining techniques - which allow the shell to evaluate a string that, before expansion, superficially matches an approved prefix but resolves to an entirely different, attacker-controlled command at execution time. This is a classic shell-expansion allowlist bypass, where the validation layer operates on the pre-expansion string while the shell executes the post-expansion result.
RemediationAI
Upgrade Zed to version 0.229.0 or later, which contains the vendor-confirmed fix for this bypass. The fix is documented in the GitHub Security Advisory at https://github.com/zed-industries/zed/security/advisories/GHSA-rqq3-p6x4-q866. If immediate upgrade is not possible, the primary compensating control is to disable or restrict use of Zed's agentic terminal tool feature entirely, preventing any programmatic invocation of the terminal that would be subject to allowlist evaluation. Users should also audit any existing command-prefix allowlists for entries that could be abused via expansion chaining. Note that restricting the terminal tool may degrade AI-assisted workflows within the editor. No additional workarounds beyond disabling the feature were specified in the advisory.
Zed, a code editor, has an extension installer allows tar/gzip downloads. [CVSS 8.8 HIGH]
Zed code editor versions prior to 0.224.4 contain a path traversal vulnerability in ZIP extraction that fails to sanitiz
Zed code editor versions before 0.225.9 fail to properly validate symbolic links in Agent file tools, allowing attackers
Zed Editor versions prior to 0.219.4 fail to display tool invocation parameters during permission prompts or after execu
A directory traversal vulnerability with remote code execution in Prim'X Zed!. Rated critical severity (CVSS 9.8), this
Remote code execution in Zed code editor versions prior to 0.227.1 occurs when a user opens a folder containing a malici
Arbitrary code execution in the Zed code editor (versions prior to 0.229.0) is possible by abusing its terminal tool per
Command injection in Zed code editor versions prior to 0.229.0 allows bypass of the terminal tool's permission allowlist
Remote command execution in Zed code editor versions prior to 0.227.1 occurs when opening SSH or WSL remote terminals be
By default, .ZED containers produced by PRIMX ZED!. Rated high severity (CVSS 7.5), this vulnerability is remotely explo
ZED containers produced by PRIMX ZED!. Rated medium severity (CVSS 5.5), this vulnerability is no authentication require
ZED containers produced by PRIMX ZED!. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32938