Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
Zed is a code editor. Prior to 0.229.0, Zed's terminal tool permission system can be bypassed by prepending environment variable assignments to allowlisted commands, hijacking program behavior (e.g., PAGER) to execute arbitrary code. This vulnerability is fixed in 0.229.0.
AnalysisAI
Arbitrary code execution in the Zed code editor (versions prior to 0.229.0) is possible by abusing its terminal tool permission system, which fails to account for environment-variable prefixes on allowlisted commands. An attacker who can influence what the agent runs (for example via a malicious prompt or repository content) can prepend assignments such as PAGER=/path/to/payload to a permitted command and hijack execution. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
Zed (cpe:2.3:a:zed-industries:zed) is an AI-assisted code editor whose agent can run shell commands through a terminal tool gated by an allowlist permission system. The vulnerability maps to CWE-184 (Incomplete List of Disallowed Inputs): the allowlist matches on the command token but does not strip or validate inline environment-variable assignments that POSIX shells accept as a prefix (e.g., VAR=value cmd ...). Because many Unix utilities consult environment variables to choose helper programs - PAGER for less/git, EDITOR for many CLIs, LD_PRELOAD for dynamic loading, GIT_SSH_COMMAND for git transport - pointing one of these to an attacker-controlled binary or script turns an otherwise-benign allowlisted command into arbitrary code execution under the user's identity.
RemediationAI
Vendor-released patch: upgrade Zed to 0.229.0 or later, which is the version called out as fixed in GHSA-c3g6-c3ff-69cg (https://github.com/zed-industries/zed/security/advisories/GHSA-c3g6-c3ff-69cg). Until upgrade is complete, disable or restrict Zed's agentic terminal tool / auto-approval of commands and require manual review of every proposed shell invocation - accepting the productivity cost of more confirmation prompts. Avoid opening untrusted repositories or pasting untrusted prompts into the agent, and consider running Zed under a least-privileged user account or container so that PAGER/EDITOR/LD_PRELOAD hijacks cannot reach sensitive credentials or SSH keys; the trade-off is reduced access to developer tooling from within the editor.
Zed, a code editor, has an extension installer allows tar/gzip downloads. [CVSS 8.8 HIGH]
Zed code editor versions prior to 0.224.4 contain a path traversal vulnerability in ZIP extraction that fails to sanitiz
Zed code editor versions before 0.225.9 fail to properly validate symbolic links in Agent file tools, allowing attackers
Zed Editor versions prior to 0.219.4 fail to display tool invocation parameters during permission prompts or after execu
A directory traversal vulnerability with remote code execution in Prim'X Zed!. Rated critical severity (CVSS 9.8), this
Remote code execution in Zed code editor versions prior to 0.227.1 occurs when a user opens a folder containing a malici
Command injection in Zed code editor versions prior to 0.229.0 allows bypass of the terminal tool's permission allowlist
Remote command execution in Zed code editor versions prior to 0.227.1 occurs when opening SSH or WSL remote terminals be
By default, .ZED containers produced by PRIMX ZED!. Rated high severity (CVSS 7.5), this vulnerability is remotely explo
{var@P} prompt-string operator. Zed's terminal tool system enforces command-prefix allowlists to control what commands c
ZED containers produced by PRIMX ZED!. Rated medium severity (CVSS 5.5), this vulnerability is no authentication require
ZED containers produced by PRIMX ZED!. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no
Same weakness CWE-184 – Incomplete List of Disallowed Inputs
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32939