Zed Terminal Tool Permission Bypass Vulnerability Allowing Arbitrary Command Execution

A vulnerability in Zed code editor's terminal tool permission system prior to version 0.229.0 allows for a bypass via bash variable expansion chaining. This exploitation enables arbitrary command execution under an allowlisted command prefix. The issue arises because the permission system's regex-based allowlist validation only matches the initial command token and fails to evaluate nested shell expansions. While this vulnerability is present on Linux systems, it does not affect macOS due to an incompatible bash version,

Impact

Exploitation of this vulnerability allows for arbitrary command execution on Linux systems, bypassing Zed's terminal permission allowlist. This poses a risk to any Zed user on Linux who relies on command allowlists for security.

Reproduction

To reproduce this vulnerability, configure Zed to always allow commands that match the pattern 'echo' by adding this pattern to the 'always_allow' setting. Then, through the AI agent, request to execute a command that uses bash variable expansion to chain variable assignments. The 'curl' command will execute successfully, demonstrating the bypass of the allowlist restriction.

Remediation

Users can update to Zed version 0.229.0 or later to address this vulnerability.