Lociko

**Name of the Vulnerable Software and Affected Versions** Zed versions prior to 0.229.0 **Description** The terminal tool permission system in the Zed code editor can be bypassed using bash variable expansion chaining (`${var@P}`). This allows for arbitrary command execution when an allowlisted command prefix is used. **Recommendations** Update to version 0.229.0.

**Name of the Vulnerable Software and Affected Versions** Zed versions prior to 0.229.0 **Description** The terminal tool permission system in the Zed code editor can be bypassed by prepending environment variable assignments to allowlisted commands. This allows an attacker to hijack program behavior, such as using the `PAGER` variable, to execute arbitrary code. **Recommendations** Update to version 0.229.0.

**Name of the Vulnerable Software and Affected Versions** Zed versions prior to 0.227.1 **Description** Zed IDE allows Remote Code Execution (RCE) when a user opens a folder in untrusted mode. The issue occurs when a folder contains a malicious `.git/config` file that abuses the `core.fsmonitor` Git configuration option, leading to the execution of arbitrary commands. **Recommendations** Update to version 0.227.1.

**Name of the Vulnerable Software and Affected Versions** Zed versions prior to 0.229.0 **Description** The terminal tool permission system can be bypassed using bash arithmetic expansion $((...)). This allows the execution of arbitrary commands nested within an allowlisted command, such as 'echo'. **Recommendations** Update to version 0.229.0.