Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed via bash arithmetic expansion $((...)), allowing execution of arbitrary commands nested inside an allowlisted command like echo. This vulnerability is fixed in 0.229.0.
AnalysisAI
Command injection in Zed code editor versions prior to 0.229.0 allows bypass of the terminal tool's permission allowlist through bash arithmetic expansion syntax $((...)) nested inside permitted commands like echo. Because Zed is increasingly used with AI agent workflows that execute shell commands on behalf of the user, the bypass effectively neutralizes the safety boundary intended to gate dangerous operations. No public exploit identified at time of analysis, but the GitHub Security Advisory GHSA-c99f-97vf-4h5h provides sufficient detail for a working PoC to be reconstructed.
Technical ContextAI
Zed (cpe:2.3:a:zed-industries:zed) is a high-performance collaborative code editor developed by Zed Industries that exposes a terminal tool callable by AI agents and extensions, gated by a permission/allowlist system intended to restrict which shell commands may execute without prompting. The root cause maps to CWE-78 (OS Command Injection): the allowlist checks the outer command token (e.g., 'echo') but does not recursively evaluate bash metasyntax embedded in arguments. Specifically, bash's arithmetic expansion construct $((...)) performs shell expansion before the outer command sees its arguments, and bash permits command substitution-like behavior inside arithmetic contexts, so arbitrary commands embedded inside $((...)) execute under the parent shell privileges even though only 'echo' appears on the allowlist.
RemediationAI
Vendor-released patch: upgrade Zed to version 0.229.0 or later, which corrects the terminal tool's argument parsing so that bash arithmetic expansion no longer slips past the allowlist; the fix is documented in GitHub Security Advisory GHSA-c99f-97vf-4h5h (https://github.com/zed-industries/zed/security/advisories/GHSA-c99f-97vf-4h5h). Until the upgrade is applied, users should disable or refuse the AI agent's terminal tool, avoid auto-approving allowlisted commands, and decline to run Zed against untrusted projects, prompts, or MCP servers that can author commands on the user's behalf - the trade-off is loss of agentic terminal automation in trusted workflows. Operating Zed under a least-privilege OS account also limits blast radius if a bypass triggers, at the cost of friction with local tooling that expects the user's normal environment.
Zed, a code editor, has an extension installer allows tar/gzip downloads. [CVSS 8.8 HIGH]
Zed code editor versions prior to 0.224.4 contain a path traversal vulnerability in ZIP extraction that fails to sanitiz
Zed code editor versions before 0.225.9 fail to properly validate symbolic links in Agent file tools, allowing attackers
Zed Editor versions prior to 0.219.4 fail to display tool invocation parameters during permission prompts or after execu
A directory traversal vulnerability with remote code execution in Prim'X Zed!. Rated critical severity (CVSS 9.8), this
Remote code execution in Zed code editor versions prior to 0.227.1 occurs when a user opens a folder containing a malici
Arbitrary code execution in the Zed code editor (versions prior to 0.229.0) is possible by abusing its terminal tool per
Remote command execution in Zed code editor versions prior to 0.227.1 occurs when opening SSH or WSL remote terminals be
By default, .ZED containers produced by PRIMX ZED!. Rated high severity (CVSS 7.5), this vulnerability is remotely explo
{var@P} prompt-string operator. Zed's terminal tool system enforces command-prefix allowlists to control what commands c
ZED containers produced by PRIMX ZED!. Rated medium severity (CVSS 5.5), this vulnerability is no authentication require
ZED containers produced by PRIMX ZED!. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32940