CNNVD-202512-3136 Information

CNNVD ID

CNNVD-202512-3136

Related CVE

CVE-2025-68433

• CNNVD Published: 2025-12-17

Description (Chinese)

Zed是Zed Industries开源的一个代码编辑器。 Zed 0.218.2-pre之前版本存在命令注入漏洞，该漏洞源于从项目.zed子目录的settings.json文件加载恶意MCP配置，可能导致任意代码执行。

Description (English)

Zed is an open source code editor for Zed Industries. The previous version of Zed 0.218.2-pre had a command-infusion loophole, which originated from the inclusion of a settings.json file from the project.zed subdirectories with malicious MCP configuration, which could lead to any code execution.

Hazard Level

Medium

Vulnerability Type

命令注入

Affected Vendor

Zed Industries

Published

2025-12-17

Last Modified

2026-02-24

References

https://github.com/zed-industries/zed/security/advisories/GHSA-cv6g-cmxc-vw8j https://zed.dev/blog/secure-by-default https://access.redhat.com/security/cve/cve-2025-68433

Patch

https://github.com/zed-industries/zed/releases