Zed IDE Language Server Protocol Configuration Arbitrary Code Execution Vulnerability

A vulnerability allowing arbitrary code execution has been identified in the Zed IDE, specifically in versions prior to 0.218.2-pre. The issue arises from the IDE loading Language Server Protocol (LSP) configurations from the 'settings.json' file within a project's '.zed' subdirectory. Malicious LSP configurations can include arbitrary shell commands that execute on the host system with the privileges of the user running the IDE. This vulnerability can be exploited when a user opens a project file associated with a malicious LSP entry, potentially leading to unauthorized code execution.

Impact

Exploitation of this vulnerability could result in arbitrary code execution on the host system, executed with the privileges of the user running the Zed IDE.

Reproduction

To reproduce this vulnerability, a project must be created or modified to include a malicious LSP configuration in the 'settings.json' file located in the project's '.zed' directory. This configuration should include commands designed to execute arbitrary code, such as a PowerShell script. Once the project is set up, opening it in Zed IDE version 0.212.5 will trigger the execution of the embedded commands, demonstrating the vulnerability.

Remediation

Users should update to Zed IDE version 0.218.2-pre or later, which includes a worktree trust mechanism to prevent automatic execution of malicious LSP configurations. If the update is not yet available, users should manually review and edit the 'settings.json' file in the '.zed' directory of their projects to remove any harmful LSP entries before opening the project in Zed.