Description
Zed, a code editor, has a Zip Slip (Path Traversal) vulnerability exists in its extension archive extraction functionality prior to version 0.224.4. The `extract_zip()` function in `crates/util/src/archive.rs` fails to validate ZIP entry filenames for path traversal sequences (e.g., `../`). This allows a malicious extension to write files outside its designated sandbox directory by downloading and extracting a crafted ZIP archive. Version 0.224.4 fixes the issue.
Published: 2026-02-25
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Path Traversal
Action: Apply Patch
AI Analysis

Impact

A Zip Slip bug in Zed’s extension archive extraction allows a malicious extension to write files outside its sandbox by supplying a crafted ZIP archive. This vulnerability is a classic path‑traversal flaw (CWE‑22). When exploited, it could enable the attacker to overwrite critical system files or inject executable code, leading to local privilege escalation or remote code execution if the editor runs with elevated privileges.

Affected Systems

Zed code editor from Zed Industries. Versions prior to 0.224.4 are vulnerable; 0.224.4 and later contain the fix.

Risk and Exploitability

The CVSS score of 7.4 indicates high severity, while the EPSS score of less than 1% suggests a very low likelihood of immediate exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitability requires an attacker to supply a malicious extension archive, which can be achieved by distributing a forged extension via the marketplace or phishing. No public exploit has been documented, but the weaponized nature of the flaw warrants prompt attention.

Generated by OpenCVE AI on April 18, 2026 at 10:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zed to version 0.224.4 or newer to remove the path traversal flaw.
  • Verify that extensions are sourced from trusted developers and not unverified marketplaces.
  • Limit extension file system access by disabling write permissions to critical directories or by running Zed in a restricted sandbox mode.

Generated by OpenCVE AI on April 18, 2026 at 10:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 03:30:00 +0000

Type Values Removed Values Added
First Time appeared Zed
Zed zed
CPEs cpe:2.3:a:zed:zed:*:*:*:*:*:*:*:*
Vendors & Products Zed
Zed zed

Fri, 27 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Zed-industries
Zed-industries zed
Vendors & Products Zed-industries
Zed-industries zed

Wed, 25 Feb 2026 23:45:00 +0000

Type Values Removed Values Added
Description Zed, a code editor, has a Zip Slip (Path Traversal) vulnerability exists in its extension archive extraction functionality prior to version 0.224.4. The `extract_zip()` function in `crates/util/src/archive.rs` fails to validate ZIP entry filenames for path traversal sequences (e.g., `../`). This allows a malicious extension to write files outside its designated sandbox directory by downloading and extracting a crafted ZIP archive. Version 0.224.4 fixes the issue.
Title Zed has Zip Slip Path Traversal in Extension Archive Extraction
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N'}

Subscriptions

Zed Zed
Zed-industries Zed
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T17:04:50.704Z

Reserved: 2026-02-24T02:31:33.266Z

Link: CVE-2026-27800

cve-icon Vulnrichment

Updated: 2026-02-26T17:04:45.432Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T00:16:25.590

Modified: 2026-03-04T03:16:37.217

Link: CVE-2026-27800

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses