Login Sign Up

CVE-2025-68432

7.7 HIGH
Remote Code Execution

📋 TL;DR

Zed code editor versions before 0.218.2-pre have an arbitrary code execution vulnerability where malicious Language Server Protocol configurations in project settings files can execute shell commands with user privileges. This affects all users running vulnerable Zed versions who open projects containing malicious settings files. The vulnerability allows attackers to run arbitrary code on the host system.

💻 Affected Systems

Products:
  • Zed IDE
Versions: All versions prior to 0.218.2-pre
Operating Systems: All platforms where Zed runs (Windows, macOS, Linux)
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability is present in default configuration when opening projects with LSP configurations.

📦 What is this software?

Zed by Zed

View all CVEs affecting Zed →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full control of the user's system, data theft, ransomware deployment, or lateral movement within the network.

🟠

Likely Case

Local privilege escalation leading to data exfiltration, credential theft, or installation of persistent backdoors on developer workstations.

🟢

If Mitigated

No impact if using patched version or if users carefully review all project settings files before opening projects.

🌐 Internet-Facing: LOW - This requires local project access or social engineering to deliver malicious settings files.
🏢 Internal Only: MEDIUM - Internal attackers could seed malicious projects in shared repositories or development environments.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user interaction (opening a malicious project) but the payload execution is straightforward once triggered.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.218.2-pre

Vendor Advisory: https://github.com/zed-industries/zed/security/advisories/GHSA-29cp-2hmh-hcxj

Restart Required: Yes

Instructions:

1. Update Zed to version 0.218.2-pre or later. 2. Restart the Zed application. 3. Verify the update by checking the version in Zed's about dialog.

🔧 Temporary Workarounds

Manual settings review

all

Carefully review contents of project settings files before opening new projects in Zed

cat .zed/settings.json
type .zed\settings.json

🧯 If You Can't Patch

  • Avoid opening untrusted projects or repositories in Zed
  • Use alternative code editors for projects from untrusted sources

🔍 How to Verify

Check if Vulnerable:

Check Zed version in application settings or via 'zed --version' command line

Check Version:

zed --version

Verify Fix Applied:

Confirm version is 0.218.2-pre or later and that worktree trust mechanism is enabled

📡 Detection & Monitoring

Log Indicators:

  • Unusual shell command execution from Zed process
  • Suspicious LSP configuration loading

Network Indicators:

  • Unexpected outbound connections from Zed process

SIEM Query:

process_name:zed AND (cmdline:*sh* OR cmdline:*bash* OR cmdline:*powershell*)

📊 Metadata

CVE ID: CVE-2025-68432
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-77
EPSS Score: 0.03% exploit probability (7.2th percentile)
Published: December 17, 2025
Last Updated: February 19, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-68432, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)