CVE-2025-68433 is a command injection vulnerability classified under CWE-77 affecting the Zed code editor before version 0.218.2-pre. Zed loads Model Context Protocol (MCP) configurations from a settings.json file located in the .zed subdirectory of a project. The vulnerability stems from improper sanitization of these MCP configurations, allowing an attacker to embed arbitrary shell commands within the settings.json file. When a user opens a project containing such a malicious MCP configuration, the embedded shell commands execute automatically on the host system with the same privileges as the user running the IDE. This execution occurs without any further user interaction beyond opening the project, making it a stealthy and dangerous attack vector. The vulnerability requires local access to the project files or delivery of a malicious project archive. The fix introduced in version 0.218.2-pre involves a worktree trust mechanism that restricts automatic execution of untrusted MCP configurations, mitigating the risk. Until patching, users should manually inspect the contents of .zed/settings.json files before opening projects to avoid triggering malicious commands. The CVSS 3.1 score of 7.8 reflects high impact on confidentiality, integrity, and availability, with attack vector local, attack complexity high, no privileges required, user interaction required, and scope changed due to potential system compromise. No public exploits are known yet, but the vulnerability poses a significant risk to developers and organizations relying on Zed for code editing.

For European organizations, this vulnerability poses a significant risk primarily to software development teams using the Zed IDE. Successful exploitation can lead to arbitrary code execution with user-level privileges, potentially allowing attackers to steal sensitive source code, implant backdoors, or disrupt development workflows. The automatic execution upon project opening increases the risk of supply chain attacks where malicious project files are shared or downloaded from untrusted sources. Confidentiality of intellectual property and integrity of codebases are at high risk, and availability may be impacted if attackers deploy destructive payloads. Given the prevalence of collaborative development and open-source projects in Europe, the risk of inadvertently opening malicious projects is non-trivial. Organizations with lax controls on project file origins or insufficient user training are particularly vulnerable. The lack of known exploits in the wild suggests a window for proactive mitigation, but the high severity demands urgent attention to prevent potential targeted attacks or insider threats exploiting this flaw.

1. Upgrade all Zed IDE installations to version 0.218.2-pre or later immediately to benefit from the implemented worktree trust mechanism that blocks automatic execution of untrusted MCP configurations. 2. Until patching is complete, enforce strict policies requiring developers to manually review the contents of .zed/settings.json files before opening any new or untrusted projects. 3. Implement endpoint security controls that monitor and restrict unexpected shell command executions originating from the Zed process. 4. Educate development teams about the risks of opening projects from unverified sources and encourage use of secure channels for project sharing. 5. Use file integrity monitoring on project directories to detect unauthorized modifications to MCP configuration files. 6. Consider sandboxing or running the IDE in isolated environments when opening projects from external or unknown origins to limit potential damage. 7. Maintain up-to-date backups of critical source code repositories to enable recovery in case of compromise. 8. Monitor security advisories from Zed and related communities for any emerging exploit reports or additional patches.