Primary

Context

Zed IDE Remote Code Execution Vulnerability via Malicious Git Configuration

Vulnerability

Patched

A remote code execution vulnerability exists in Zed IDE versions prior to 0.227.1. The issue arises when the application opens a folder containing a malicious .git/config file that exploits the core.fsmonitor Git configuration option. In untrusted mode, Zed executes arbitrary commands embedded in the poisoned configuration, potentially leading to full system compromise.

Impact

Exploitation of this vulnerability allows for arbitrary code execution on the user's system with their privileges.

Reproduction

To reproduce this vulnerability, create a Git repository and inject a malicious command into the .git/config file under the core.fsmonitor option. Then, open the repository in Zed IDE's untrusted mode. The injected command will be executed, confirming the vulnerability.

Remediation

Users can update to Zed IDE version 0.227.1 or later to address this vulnerability.

Added: May 28, 2026, 8:08 PM

Updated: May 28, 2026, 8:08 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.6

remediation

0.0

relevance

9.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

5.6

remediation

0.0

relevance

9.2

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zed IDE Remote Code Execution Vulnerability via Malicious Git Configuration

Vulnerability

Impact

Reproduction

Remediation

Affected Products

Zed

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating