CVE-2025-68432

Name of the Vulnerable Software and Affected Versions Zed versions prior to 0.218.2-pre

Description The Zed IDE is susceptible to arbitrary code execution. The IDE loads Language Server Protocol (LSP) configurations from the settings.json file within a project’s .zed subdirectory. A malicious LSP configuration can contain arbitrary shell commands that execute on the host system with the privileges of the user running the IDE. This can be triggered when a user opens a project file with an LSP entry. An attacker could potentially seed a project settings file (./zed/settings.json) with malicious language server configurations, leading to arbitrary code execution with the user's privileges when the project is opened in Zed without review.

Recommendations Versions prior to 0.218.2-pre should be updated to version 0.218.2-pre or later. Carefully review the contents of project settings files (./zed/settings.json) before opening new projects in Zed.